This document explains what a use case is and outlines the requirements for
publishing one to the Google Security Operations Marketplace. It also provides steps
on how to create a new use case, from defining the
security threat to building the playbook and ultimately publishing it.
Understand use cases
A use case is a package of items that together provide a solution, such as:
Automating phishing threats
Reducing false positives
Orchestrating incident investigations
You publish a use case to Google SecOps Marketplace, and it's available for all users to use.
A use case package consists of:
Test cases
Connectors
Playbooks
Integrations
Mapping and modeling rules
Publishing requirements
To make sure your use case is ready for Google SecOps Marketplace, it must meet the following requirements:
Simulation alerts are based on real alerts from a real product.
All entities are extracted when running the simulation alert in a clean environment.
All entities are extracted when running the real alert with the connector.
The playbook runs end to end without errors.
The final output is a ZIP file export that can be imported without errors into Google SecOps Marketplace.
When deployed, you can configure the integrations to make the playbook run end to end with simulation alerts.
Create a use case
This section outlines the steps to create your first use case.
Define the use case
To define the use case, follow these steps:
Describe the security threat being addressed.
Specify the alert type and the detection product that generates it (for example, CrowdStrike – Falcon Overwatch` via `Malicious Activity)
Develop an incident response, orchestration, or automation process to handle this alert.
Prepare use case alerts
Create a custom alert or event based on a real-world scenario. Include a simulation alert to test your playbook and use case consistently. This simulation will also be included as part of the use case package.
In Cases, click
add
Add > Simulate Cases.
Click addAdd.
Fill in the fields of the simulation alert based on the alerts you prepared for the use case:
Field
Description
Example
Source\SIEM Name
Source of the alert (for example, SIEM, detection tool). If alerts are generated by the product and pulled by Google SecOps, add the product name.
Arcsight
Rule Name
SIEM rule or detection product alert name. If no SIEM is involved, use the name of the alert from the detection product.
Data Exfiltration
Alert Product
Detection tool that generated the alert.
DLP product
Alert Name
Alert name as generated by the product.
Data Exfiltration
Event Name
Base event triggering the alert.
Data Exfiltration
Additional Alert Fields
Extra SIEM fields or alert name If no SIEM is present.
Severity, Impact, Sensitive Assets If no SIEM is involved, alert_name:.
Additional Event Fields
Raw security data for incident response.
src_ip, dest_port, email_headers
Create a simulation alert in Google SecOps, based on your sample alert or event.
Extract entities
Select the visualization model for the alert (the entities Google SecOps should extract and the relations between them), and map raw data fields to the selected model.
Set action parameters, conditions, and branches, as follows:
Action Type: Select whether this action
should run automatically or manually (requires human approval).
Choose Instance: Select Dynamic.
If Step Fails: Choose whether the playbook stops if the action fails or it skips to the next action.
Entities: Select the entity types this action affects (from those extracted in your simulation alert).
Other parameters: Enter the action-specific parameters based on the integration documentation.
Configure conditions in the playbook
To configure conditions in the playbook, follow these steps:
Determine the number of branches needed. If required, click Add Branch to create additional branches.
For each branch, define the conditions that trigger it. Use placeholders (square brackets) to reference conditions from event data, previous action results, and more.
Use tools you can test in your flow.
Test with live data: Set up a connector that can pull alerts similar to the simulation alert you created. For details, see
Configure the connector.
Test The Connector with an example, such as an email connector using a phishing email alert. For details, see Test a connector.
Verify that:
The same mapping applies to the real alert so that Google SecOps can extract the relevant entities.
The playbook runs end to end on the alert and performs the defined logic. (Test with both malicious and non-malicious alerts).
Write a guide
The use case you're creating will be used by other Google SecOps users. Attach content as a guide to help other users implement the use case. You can attach this guide in the Publish Use Case:
Explain the use case and its SOC value.
Provide recommendations for improvement.
Include instructions for running the use case with simulation and real data.
Add setup instructions for connectors and integrations.
[[["Easy to understand","easyToUnderstand","thumb-up"],["Solved my problem","solvedMyProblem","thumb-up"],["Other","otherUp","thumb-up"]],[["Hard to understand","hardToUnderstand","thumb-down"],["Incorrect information or sample code","incorrectInformationOrSampleCode","thumb-down"],["Missing the information/samples I need","missingTheInformationSamplesINeed","thumb-down"],["Other","otherDown","thumb-down"]],["Last updated 2025-08-29 UTC."],[],[],null,["# Create your first use case\n==========================\n\nSupported in: \nGoogle secops [SOAR](/chronicle/docs/secops/google-secops-soar-toc) \nThis document explains what a use case is and outlines the requirements for publishing one to the Google Security Operations Marketplace. It also provides steps on how to create a new use case, from defining the security threat to building the playbook and ultimately publishing it.\n\nUnderstand use cases\n--------------------\n\nA *use case* is a package of items that together provide a solution, such as:\n\n- Automating phishing threats\n- Reducing false positives\n- Orchestrating incident investigations\n\nYou publish a use case to Google SecOps Marketplace, and it's available for all users to use.\n\nA use case package consists of:\n\n- Test cases\n- Connectors\n- Playbooks\n- Integrations\n- Mapping and modeling rules\n\nPublishing requirements\n-----------------------\n\nTo make sure your use case is ready for Google SecOps Marketplace, it must meet the following requirements:\n\n- Simulation alerts are based on real alerts from a real product.\n- All entities are extracted when running the simulation alert in a clean environment.\n- All entities are extracted when running the real alert with the connector.\n- The playbook runs end to end without errors.\n\nThe final output is a ZIP file export that can be imported without errors into Google SecOps Marketplace.\n\nWhen deployed, you can configure the integrations to make the playbook run end to end with simulation alerts.\n\nCreate a use case\n-----------------\n\nThis section outlines the steps to create your first use case.\n\n### Define the use case\n\nTo define the use case, follow these steps:\n\n1. Describe the security threat being addressed.\n2. Specify the alert type and the detection product that generates it (for example, ``CrowdStrike -- Falcon Overwatch` via `Malicious Activity``)\n3. Develop an incident response, orchestration, or automation process to handle this alert.\n\n### Prepare use case alerts\n\n1. Create a custom alert or event based on a real-world scenario. Include a simulation alert to test your playbook and use case consistently. This simulation will also be included as part of the use case package.\n2. In **Cases** , click add **Add \\\u003e Simulate Cases**.\n3. Click add **Add**.\n4. Fill in the fields of the simulation alert based on the alerts you prepared for the use case:\n\n5. Create a simulation alert in Google SecOps, based on your sample alert or event.\n\n### Extract entities\n\n1. Select the visualization model for the alert (the entities Google SecOps should extract and the relations between them), and map raw data fields to the selected model.\n2. Click settings **Configuration** on the event. For details, see [Get started with Google Security Operations](/chronicle/docs/soar/overview-and-introduction/getting-started-with-chronicle-soar), [Create entities](/chronicle/docs/soar/admin-tasks/ontology/create-entities-mapping--modeling), and [Mapping and modeling](/chronicle/docs/soar/respond/start-developing/mapping--modeling).\n3. Verify that all entities are created under the **Case** tab in **Entities Highlights** . To do so, click **Entities Highlights \\\u003e View More** for each entity.\n\n### Build a playbook\n\nTo build a playbook, do the following:\n\n1. Define the incident response flow visually (chart or diagram) for the alert.\n2. Design the playbook in Google SecOps. To do so, download and configure the integrations to use in the playbook. For details, see [Google SecOps Use Google SecOps Marketplace](/chronicle/docs/soar/respond/start-developing/chronicle-soar-integration-marketplace) and [Configure integrations](/chronicle/docs/soar/respond/integrations-setup/configure-integrations).\n\n#### Configure actions in the playbook\n\nSet action parameters, conditions, and branches, as follows:\n\n- **Action Type**: Select whether this action should run automatically or manually (requires human approval).\n- **Choose Instance** : Select **Dynamic**.\n- **If Step Fails**: Choose whether the playbook stops if the action fails or it skips to the next action.\n- **Entities**: Select the entity types this action affects (from those extracted in your simulation alert).\n- **Other parameters**: Enter the action-specific parameters based on the integration documentation.\n\n#### Configure conditions in the playbook\n\nTo configure conditions in the playbook, follow these steps:\n\n1. Determine the number of branches needed. If required, click **Add Branch** to create additional branches.\n2. For each branch, define the conditions that trigger it. Use placeholders (square brackets) to reference conditions from event data, previous action results, and more.\nUse tools you can test in your flow.\n3. Test with live data: Set up a connector that can pull alerts similar to the simulation alert you created. For details, see [Configure the connector](/chronicle/docs/soar/respond/start-developing/configuring-the-connector).\n4. Test The Connector with an example, such as an email connector using a phishing email alert. For details, see [Test a connector](/chronicle/docs/soar/respond/start-developing/testing-the-connector).\n5. Verify that:\n - The same mapping applies to the real alert so that Google SecOps can extract the relevant entities.\n - The playbook runs end to end on the alert and performs the defined logic. (Test with both malicious and non-malicious alerts).\n\n### Write a guide\n\nThe use case you're creating will be used by other Google SecOps users. Attach content as a guide to help other users implement the use case. You can attach this guide in the **Publish Use Case**:\n\n- Explain the use case and its SOC value.\n- Provide recommendations for improvement.\n- Include instructions for running the use case with simulation and real data.\n- Add setup instructions for connectors and integrations.\n- Include any relevant licensing information.\n- Include a procedure on how to [configure a connector](/chronicle/docs/soar/respond/start-developing/my-first-connector).\n\n### Publish the use case\n\nTo publish your use case, follow these steps:\n\n1. Go to the **Google SecOps Marketplace** and click the **Use Cases** tab.\n2. Click format_list_bulleted **List** and select **Create New Use Case**.\n3. Enter the details and add all items you developed (test cases, playbooks, and connectors).\n4. Attach your guide in the **Description** field or link to a full guide.\n5. Optional: Click **Export** to export the use case (now or later) \\\u003e click **Save**.\n6. Optional: After you click **Save** , you can export the package as a ZIP file, or **Import** it for testing.\n7. Submit for approval to publish.\n\n**Need more help?** [Get answers from Community members and Google SecOps professionals.](https://security.googlecloudcommunity.com/google-security-operations-2)"]]
