Onboard Google Security Operations SOAR platform

Before you begin

Google strongly recommends taking the training in our Chronicle learning path first.

Set up users

You need to set up a role and a permission group. If you are an MSSP, you also need to set up an environment. You then associate them with each new user that you add to the platform. If required, you can also provision users to log in using a SAML provider. For detailed instructions for each of these tasks, see the following documents:

Work with roles
Work with permission groups
Add new environment (relevant mainly for MSSPs)
Add a new user to the platform
Configure a SAML provider

Set up data ingestion points using connectors or webhooks

Set up connectors or webhooks to ingest alerts into the platform in order to analyze them. This can also be achieved by downloading an entire Use Case. For detailed instructions for each of these tasks, see the following documents:

Ingest your data using connectors
Set up a webhook
Run use cases
Create your own connector (for advanced users)

Map and model incoming data

You can control how incoming products, events, and entities are mapped and modeled to make sure the right information is captured. You can define this ontology configuration for yourself or choose the default mapping and modeling configuration. For detailed instructions for each of these tasks, see the following documents:

Create playbooks

Google Security Operations lets you respond to threats using a sequential set of manual and automated steps called playbooks. For more information about playbooks see the following documents:

Analyze cases and alerts

Use simulated cases and test alerts to test your configurations and playbooks before going live with them. After alerts are ingested and playbooks have finished running, you can look at the cases and alerts to see what needs to be done next, including triage or remediation steps. For detailed instructions for each of these tasks, see the following documents: