This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
Log in to ask a question
Announcements
New SecOps Webinar May 14th! Learn about Gemini's generative AI within Google SecOps
Log in to ask a question

Security Operations: Step 4.2 - Investigate | Investigate Cases & Alerts

‎10-30-2024 06:32 PM - edited ‎02-07-2025 07:44 AM

GCSCommunity
Staff
0 0 290

Table of Contents

GCSCommunity_0-1730336261356.png

 Google SecOps ingests alerts from a variety of sources. Each alert is ingested with its underlying base security events. Those security events are analyzed, and their indicators, such as sources, destinations, and artifacts, are extracted into objects called entities. Each entity stored in the platform starts collecting data on it, including comments, enrichment data, and reports, allowing analysts yo review this history when handling future cases involving that entity.

Actions

GCSCommunity_1-1730336290043.png
Working Cases

Google SecOps Cases provides the analysts a way to investigate the incoming security alerts and safeguard workstations. Analysts can create manual cases and simulated cases and ingest specific data.

Show More

Steps
  1. Users will navigate to the left-side Navigation Bar and then select Cases.
  2. On the top-left of the Cases page, users will see several options to navigate through Cases:
    1. Cases View Selection GCSCommunity_18-1730338334415.png 
    2. Refresh Cases GCSCommunity_17-1730338322977.png 
       
       
    3. Switch to Default Mode GCSCommunity_16-1730338309889.png 
       
       
       
       
       
    4. Select Multiple Cases GCSCommunity_15-1730338297479.png 
       
    5. Add Cases GCSCommunity_14-1730338279263.png
    6. Sort By GCSCommunity_13-1730338264884.png
    7. Cases Filter GCSCommunity_12-1730338223828.png
    8. Search Case Name
  3. When users select the Cases Filter, users will see a Case Queue Filter popup, which will display the following sections/ fields:
    1. Parameters
    2. Logical Operator
    3. Add Criteria
    4. Save Filter
  4. When a Case is shown as a result, it will appear in the left-side bar.
  5. When a Case is selected, a popout page will appear.
  6. Cases will have an assigned:
    1. Case ID Number GCSCommunity_11-1730338134275.png
    2. Environment
    3. Tier designation GCSCommunity_10-1730338116747.png
    4. Date/ Time Range
  7.  At the top of the Case page, users will also see the following options:
    1. Triage
    2. Chat
    3. Close Case
    4. Case Actions
    5. Close Case
    6. Manage Tags
  8. Each Case will have three views:
    1. Overview GCSCommunity_9-1730338092982.png
    2. Case Wall GCSCommunity_8-1730338080238.png
    3. Case Details GCSCommunity_7-1730338069397.png
  9.  To the right of each View are the following options:
    1. Manual Action GCSCommunity_6-1730338057781.png
    2. Case Tasks GCSCommunity_5-1730338046969.png
    3. Alert Options (only in Case Details view) GCSCommunity_4-1730338032592.png
  10. In the Case Overview, users will see a Gemini Summary of the of the Case, consisting of:
    1. Suggestion
    2. What Actually Happened
    3. The Next Steps You Should Take
  11. There are additional sections below consisting of:
    1. Case Description
    2. Pending Actions
    3. Alerts
    4. Entities Graph
    5. Entities Highlights
    6. Latest Case Wall Activity
    7. Recommendations
    8. Statistics
    9. Comment Section GCSCommunity_3-1730338018046.png
      • Option to Attach File
  12. The Case Wall view will allow users to view the Case Details:
    1. Actions
    2. Status Changes
    3. Tasks
    4. Comments
    5. Insights
    6. Pinned Chat Messages
    7. Favorites
      • Each Case Detail can be marked as a Favorite.
  13. There are Filter options in Case Wall view:
    1. Alert Type
    2. User
    3. Sort By Date/ Time
  14. The Case Details view has four tab options:
    1. Overview
    2. Events
    3. Playbooks
    4. Graph
  15. The Overview  tab in Case Details will display information consisting of:
    1. Alert Details
    2. Pending Actions
    3. Entities Highlights
    4. Events
    5. Comment Section
      • Option to Attach File
    6. Events
  16. The Events tab will display a list of Events, consisting of:
    1. Name
    2. Type
    3. Source
    4. Port
    5. Outcome
    6. Time
    7. Option to Configure Event
  17. Under the Events tab, users can also Search for details. These details have sections below that include:
    1. Highlighted Fields
    2. Default
    3. System
    4. Threat
    5. Event
    6. Time.
  18. Under the Playbooks tab, users will see the following options:
    1. Refresh
    2. Jump to Case Wall
    3. Add Playbook
  19. If the user selects a Playbook, select Add Playbook, and a Add a Playbook popup will appear.
  20. Users will be able to select a specific Playbook, and select Add.
  21. All selected Playbooks will show in the side-bar under Playbooks.
Relevant Documentation Links
GCSCommunity_2-1730336307772.png
Your Workdesk

Google SecOps Workdesk is the first step in taking care of your SOC daily routine. Your Workdesk allows you to manage your cases, collaborate with your team members, and quickly respond to manual actions in the Playbooks.

Show More

Steps
  1. Users will navigate to the left-side Navigation Bar and then select Your Workdesk.
  2. On the top-left of the Your Workdesk page, users will see several options:
    1. My Cases
    2. Pending Actions
    3. My Tasks
    4. Requests
    5. Workspace
    6. Announcements
  3. Users view Cases in the My Cases tab, through four sections:
    1. Assigned to Me
    2. Assigned to My Role
    3. Mention of Me
    4. Mention of My Role
  4. At the bottom of the My Cases page, users can Refresh the list, by selecting Refresh. GCSCommunity_2-1730337984671.png
  5. Users view Pending Actions in the Pending Actions tab, with five Pending Action ratings:
    1. Critical
    2. High
    3. Medium
    4. Low
    5. Informative
  6. The Pending Actions page also has a Search Function.
  7. At the bottom of the Pending Actions page, users can Refresh the list, by selecting Refresh.
  8. Users can view/ create their Tasks in the My Tasks tab, with four sections:
    1. Status
    2. Assigned to Me
    3. Assigned to My Role
    4. Created by Me
  9. The My Tasks page also has a Search Function.
  10. At the bottom of the My Tasks page, users can Create a New Task by selecting Create a New Task buttonGCSCommunity_1-1730337971985.png
  11. In the Create Task popout page, users can fill in the following information:
    1. Title
    2. Task Content
    3. Assign To
    4. Due Date
  12. When users have filled out the Create Task information, select Save.
  13. Users can view/ create Requests in the Requests tab, with an option view Open and Closed Requests.
  14. The Requests page also has a Search.
  15. To Create a New Request, users can select the Add Request button, to the right of the Search field, or by selecting Create a New Request button at the bottom of the page.
  16. When users have filled out the New Request information, select Save.
  17. The new Request will display on the page after a few minutes.
  18. Users will click the Case ID to see the Case in the Cases page with full details.
  19. After the Request is put in, the user’s approving manager will review the the Case and approve or deny the Request.
  20. Under the Workspace tab, is Workspace page, users can view/ create the following four sections:
    1. Links
    2. Files
    3. My Contacts
    4. Notes
  21. The Create Link section consists of: GCSCommunity_0-1730337958307.png
    1. URL Address
    2. Link Description
  22. When complete, users will select Save.
  23. The Create File section consists of:
    1. File Address
    2. File Description
  24. When complete, users will select Save.
  25. The Create Contact section consists of:
    1. Contact Name
    2. Phone Number
    3. Contact Email
    4. Contact Description
  26. When complete, users will select Save.
  27. The Create Note section consists of:
    1. Note Title
    2. Note Content
  28. When complete, users will select Save.
  29. Notes can be searched for through the Search field.
  30. The Notes section also has a Default Note template, that can be Deleted or Edited.
  31. Users can view/ create their Announcements in the Announcements tab.
  32. The Announcements page also has a Search Function.
  33. To Create a New Announcement, users can select the Add Announcement button, to the right of the Search field, or by selecting Create a New Announcement button at the bottom of the pageGCSCommunity_3-1730336968460.png
Relevant Documentation Links

Next Step: Security Operations: Step 5 - Respond 

Previous Step: Security Operations: Step 4.1 - Investigate | Investigation 

Topic Labels
Contributors
0 Likes
Version history
Last update:
‎02-07-2025 07:44 AM
Updated by: