Create your first use case

Supported in:
This document explains what a use case is and outlines the requirements for publishing one to the Google Security Operations Marketplace. It also provides steps on how to create a new use case, from defining the security threat to building the playbook and ultimately publishing it.

Understand use cases

A use case is a package of items that together provide a solution, such as:

  • Automating phishing threats
  • Reducing false positives
  • Orchestrating incident investigations

You publish a use case to Google SecOps Marketplace, and it's available for all users to use.

A use case package consists of:

  • Test cases
  • Connectors
  • Playbooks
  • Integrations
  • Mapping and modeling rules

Publishing requirements

To make sure your use case is ready for Google SecOps Marketplace, it must meet the following requirements:

  • Simulation alerts are based on real alerts from a real product.
  • All entities are extracted when running the simulation alert in a clean environment.
  • All entities are extracted when running the real alert with the connector.
  • The playbook runs end to end without errors.

The final output is a ZIP file export that can be imported without errors into Google SecOps Marketplace.

When deployed, you can configure the integrations to make the playbook run end to end with simulation alerts.

Create a use case

This section outlines the steps to create your first use case.

Define the use case

To define the use case, follow these steps:

  1. Describe the security threat being addressed.
  2. Specify the alert type and the detection product that generates it (for example, CrowdStrike – Falcon Overwatch` via `Malicious Activity)
  3. Develop an incident response, orchestration, or automation process to handle this alert.

Prepare use case alerts

  1. Create a custom alert or event based on a real-world scenario. Include a simulation alert to test your playbook and use case consistently. This simulation will also be included as part of the use case package.
  2. In Cases, click add Add > Simulate Cases.
  3. Click Add.
  4. Fill in the fields of the simulation alert based on the alerts you prepared for the use case:
    5. Field Description Example
    Source\SIEM Name Source of the alert (for example, SIEM, detection tool). If alerts are generated by the product and pulled by Google SecOps, add the product name. Arcsight
    Rule Name SIEM rule or detection product alert name. If no SIEM is involved, use the name of the alert from the detection product. Data Exfiltration
    Alert Product Detection tool that generated the alert. DLP product
    Alert Name Alert name as generated by the product. Data Exfiltration
    Event Name Base event triggering the alert. Data Exfiltration
    Additional Alert Fields Extra SIEM fields or alert name If no SIEM is present. Severity, Impact, Sensitive Assets If no SIEM is involved, alert_name:.
    Additional Event Fields Raw security data for incident response. src_ip, dest_port, email_headers
  5. Create a simulation alert in Google SecOps, based on your sample alert or event.

Extract entities

  1. Select the visualization model for the alert (the entities Google SecOps should extract and the relations between them), and map raw data fields to the selected model.
  2. Click settings Configuration on the event. For details, see Get started with Google Security Operations, Create entities, and Mapping and modeling.
  3. Verify that all entities are created under the Case tab in Entities Highlights. To do so, click Entities Highlights > View More for each entity.

Build a playbook

To build a playbook, do the following:

  1. Define the incident response flow visually (chart or diagram) for the alert.
  2. Design the playbook in Google SecOps. To do so, download and configure the integrations to use in the playbook. For details, see Google SecOps Use Google SecOps Marketplace and Configure integrations.

Configure actions in the playbook

Set action parameters, conditions, and branches, as follows:

  • Action Type: Select whether this action should run automatically or manually (requires human approval).
  • Choose Instance: Select Dynamic.
  • If Step Fails: Choose whether the playbook stops if the action fails or it skips to the next action.
  • Entities: Select the entity types this action affects (from those extracted in your simulation alert).
  • Other parameters: Enter the action-specific parameters based on the integration documentation.

Configure conditions in the playbook

To configure conditions in the playbook, follow these steps:

  1. Determine the number of branches needed. If required, click Add Branch to create additional branches.
  2. For each branch, define the conditions that trigger it. Use placeholders (square brackets) to reference conditions from event data, previous action results, and more.
    3. Use tools you can test in your flow.
  3. Test with live data: Set up a connector that can pull alerts similar to the simulation alert you created. For details, see Configure the connector.
  4. Test The Connector with an example, such as an email connector using a phishing email alert. For details, see Test a connector.
  5. Verify that:
    • The same mapping applies to the real alert so that Google SecOps can extract the relevant entities.
    • The playbook runs end to end on the alert and performs the defined logic. (Test with both malicious and non-malicious alerts).

Write a guide

The use case you're creating will be used by other Google SecOps users. Attach content as a guide to help other users implement the use case. You can attach this guide in the Publish Use Case:

  • Explain the use case and its SOC value.
  • Provide recommendations for improvement.
  • Include instructions for running the use case with simulation and real data.
  • Add setup instructions for connectors and integrations.
  • Include any relevant licensing information.
  • Include a procedure on how to configure a connector.

Publish the use case

To publish your use case, follow these steps:

  1. Go to the Google SecOps Marketplace and click the Use Cases tab.
  2. Click format_list_bulleted List and select Create New Use Case.
  3. Enter the details and add all items you developed (test cases, playbooks, and connectors).
  4. Attach your guide in the Description field or link to a full guide.
  5. Optional: Click Export to export the use case (now or later) > click Save.
  6. Optional: After you click Save, you can export the package as a ZIP file, or Import it for testing.
  7. Submit for approval to publish.

Need more help? Get answers from Community members and Google SecOps professionals.