Security Operations: Step 2.2 - Ingestion | Utiliz...

kasey · ‎10-30-2024

The Marketplace empowers you to seamlessly connect Google SecOps with leading security tools, automate repetitive tasks with pre-built playbooks, and gain invaluable insights from comprehensive dashboards. This collaborative environment fosters innovation, saves valuable time, and allows your SOC team to focus on what matters most – effectively combating cyber threats.

Prerequisites

Entitlement for Google SecOps on the account and project.
Administrative access to Google SecOps.
Administrative access for any 3rd party applications that are intended to be connected to Google SecOps

Actions

Marketplace Use-Cases

The Google SecOps Marketplace acts as the customer's toolbox, holding a wide range of utilities and options to choose from. The Marketplace also contains a repository for predefined Use Cases, Power Ups that enhance Playbook capabilities, and Analytics that provide valuable insights.

Steps

To begin users will go to the left-side Navigation Bar and then select Marketplace, that will display the Google SecOps Marketplace page.
Users will also see three tabs to select from, consisting of:
1. Use Cases
2. Integrations
3. Power Ups
Users will select the Use Cases tab, which will display many pre-defined Use Cases at the bottom of the page.
In the Marketplace page, users will see a Search bar at the top-right of the page, to Search for Use Cases.
Users will have the option to Filter the category types of Use Cases they want to display at the center of the page.
These categories consist of:
1. Malware
2. Endpoint
3. Threat Hunting
4. Investigation
5. Threat Intelligence
6. Insider Threat
7. …and more
To the right of Filters is a Use Case Option menu, which will give the user a choice to:
1. Create New Use Case
2. Import Use Case
3. Export Use Case
4. Refresh
Once a user has found a Use Case to Install, they will select the Use Case, by clicking Install.
A popup window will appear, which will display the Use Case with five steps:
1. Use Case Information
2. Use Case Items
3. Install Use Case Items
4. Configure Integrations
5. Run Use Case
Typically the Use Case Information section will display a video from Google SecOps that will give users a basic overview with and step-by-step instructions on how to install and run the Use Case.
On the same page, users will see a description and three to four dropdowns that will display:
1. Playbooks
2. Integrations
3. Test Cases
4. Connectors
Users will select Next.
Users will see the Use Case Items page, that will show Install Use Case Items at the top of the page. Here users will be able to:
1. Install Integrations
2. Install Playbooks
3. Install Simulation Cases
Users will have a Search function in section and an option to Override existing Ontology.
Users will select Install to Install the Use Case items. Once the Installation is completed, it will display Installation Completed, with all of the Integrations, Playbooks, and Simulation Cases installed. Then select Next.
Users will see the Configure Integrations page, listing all of the Integrations. Each Integration will have the following fields to Configure:
1. Instance
2. Environment
3. Instance Name
4. Description
5. Parameters
6. API Key
7. Verify SSL
Users will then have the option to Test and Save each Integration.
When complete, users will select Next.
In the Run Use Case page, users will see an option to Select Alert for Simulation by selecting the checkbox next to the Use Case and select Next.
Once selected users will see a Congratulations message and the Next Steps to:
1. Simulate More Alerts
2. To Connect Your Data
3. Connect your Remote Environment
Users will select Finish.

Relevant Documentation Links

[All Steps] https://cloud.google.com/chronicle/docs/soar/marketplace/run-use-cases

Use Case Example

Here is an example of how to install and configure the Use Case “Phishing Use Case - Zero to Hero”:
Users will select the Marketplace on the left Navigation Bar.
Select Use Case tab on the Google Marketplace page.
In the pre-defined Use Cases below, select from the Community-version “Phishing Use Case - Zero to Hero” and click Install.
After watching the Guide Video in the Use Case Information section, users will see the Playbooks, Integrations, Test Cases, and Connectors associated with the Use Case, and select Next.
In the Use Case Items section, users will see the Integrations, Playbooks, and Simulations Cases that will be Installed. If there is a conflict with an existing Ontology, and the user chooses to Override, they will select the box next to Override Existing Ontology. Once complete, users will then select Install.
Once Installed, users will see that their Installation is complete, and will select Next.
Once users Configure their Integration, they can Test and Save the Configuration, then select Next.
In the Run Use Case section, users will select the Alert for Simulation, by selecting the checkbox next to the Use Case, then select Next.
In the final step, once the Use Case is deployed, users will see instructions on Next Steps and how to navigate to the Cases screen to see the simulations in action. Once done, select Finish.

Steps To begin users will go to the left-side Navigation Bar and then select Marketplace, that will display the Google SecOps Marketplace page. Users will also see three tabs to select from, consisting of: Use Cases Integrations Power Ups Users will select the Use Cases tab, which will display many pre-defined Use Cases at the bottom of the page. In the Marketplace page, users will see a Search bar at the top-right of the page, to Search for Use Cases. Users will have the option to Filter the category types of Use Cases they want to display at the center of the page. These categories consist of: Malware Endpoint Threat Hunting Investigation Threat Intelligence Insider Threat …and more To the right of Filters is a Use Case Option menu, which will give the user a choice to: Create New Use Case Import Use Case Export Use Case Refresh Once a user has found a Use Case to Install, they will select the Use Case, by clicking Install. A popup window will appear, which will display the Use Case with five steps: Use Case Information Use Case Items Install Use Case Items Configure Integrations Run Use Case Typically the Use Case Information section will display a video from Google SecOps that will give users a basic overview with and step-by-step instructions on how to install and run the Use Case. On the same page, users will see a description and three to four dropdowns that will display: Playbooks Integrations Test Cases Connectors Users will select Next. Users will see the Use Case Items page, that will show Install Use Case Items at the top of the page. Here users will be able to: Install Integrations Install Playbooks Install Simulation Cases Users will have a Search function in section and an option to Override existing Ontology. Users will select Install to Install the Use Case items. Once the Installation is completed, it will display Installation Completed, with all of the Integrations, Playbooks, and Simulation Cases installed. Then select Next. Users will see the Configure Integrations page, listing all of the Integrations. Each Integration will have the following fields to Configure: Instance Environment Instance Name Description Parameters API Key Verify SSL Users will then have the option to Test and Save each Integration. When complete, users will select Next. In the Run Use Case page, users will see an option to Select Alert for Simulation by selecting the checkbox next to the Use Case and select Next. Once selected users will see a Congratulations message and the Next Steps to: Simulate More Alerts To Connect Your Data Connect your Remote Environment Users will select Finish. Relevant Documentation Links [All Steps] https://cloud.google.com/chronicle/docs/soar/marketplace/run-use-cases Use Case Example Here is an example of how to install and configure the Use Case “Phishing Use Case - Zero to Hero”: Users will select the Marketplace on the left Navigation Bar. Select Use Case tab on the Google Marketplace page. In the pre-defined Use Cases below, select from the Community-version “Phishing Use Case - Zero to Hero” and click Install. After watching the Guide Video in the Use Case Information section, users will see the Playbooks, Integrations, Test Cases, and Connectors associated with the Use Case, and select Next. In the Use Case Items section, users will see the Integrations, Playbooks, and Simulations Cases that will be Installed. If there is a conflict with an existing Ontology, and the user chooses to Override, they will select the box next to Override Existing Ontology. Once complete, users will then select Install. Once Installed, users will see that their Installation is complete, and will select Next. Once users Configure their Integration, they can Test and Save the Configuration, then select Next. In the Run Use Case section, users will select the Alert for Simulation, by selecting the checkbox next to the Use Case, then select Next. In the final step, once the Use Case is deployed, users will see instructions on Next Steps and how to navigate to the Cases screen to see the simulations in action. Once done, select Finish.

Marketplace Integrations

The Google SecOps Marketplace acts as the customer's toolbox, holding a wide range of utilities and options to choose from. The Marketplace also contains a repository for predefined Use Cases, Power Ups that enhance Playbook capabilities, and Analytics that provide valuable insights.

Steps

To begin users will go to the left-side Navigation Bar and then select Marketplace, that will display the Google SecOps Marketplace page.
Users will also see three tabs to select from, consisting of:
1. Use Cases
2. Integrations
3. Power Ups
In the Marketplace page, users will see a Search bar at the top-right of the page, to Search for Integrations.
Users will select Integrations, which will display many pre-defined Integrations at the bottom of the page.
Users will have the option to Filter the category types of Integrations they want to display at the center of the page.
These categories consist of:
1. Security
2. Threat Intelligence
3. IT & Infrastructure
4. Access Management
5. IAM
6. …and more
At the top of the page are two dropdown menus:
1. Type
2. Status
In the Type menu, users can select from the following Integrations:
1. All Integrations
2. Google SecOps Integrations
3. Published by Community
4. Custom Integrations
In the Status menu, users can select Integrations that are:
1. Installed
2. Not Installed
3. Available Upgrade
Users can read the Details of each Integration by selecting the Details button.
Once a user has found an Integration to Install, they will select the Integration, by clicking Install.
Users will see a popup showing the Integration is complete.
Once an Integration is complete, users will see that the Install button has be replaced with a Configure button. User will select Configure.
A Configure Instance popup will appear, that will display the following fields:
1. Environment
2. Instance Name
3. Description
4. Parameters
5. API Key
6. Verify SSL
Users will have the option to Test the Instance, by selecting the Test button.
Once complete, users will select Save.
Note: Users can make changes at a later stage if needed. Once configured, the instances can be used in Playbooks.

Relevant Documentation Links

[All Steps] https://cloud.google.com/chronicle/docs/soar/respond/integrations-setup/configure-integrations

Steps To begin users will go to the left-side Navigation Bar and then select Marketplace, that will display the Google SecOps Marketplace page. Users will also see three tabs to select from, consisting of: Use Cases Integrations Power Ups In the Marketplace page, users will see a Search bar at the top-right of the page, to Search for Integrations. Users will select Integrations, which will display many pre-defined Integrations at the bottom of the page. Users will have the option to Filter the category types of Integrations they want to display at the center of the page. These categories consist of: Security Threat Intelligence IT & Infrastructure Access Management IAM …and more At the top of the page are two dropdown menus: Type Status In the Type menu, users can select from the following Integrations: All Integrations Google SecOps Integrations Published by Community Custom Integrations In the Status menu, users can select Integrations that are: Installed Not Installed Available Upgrade Users can read the Details of each Integration by selecting the Details button. Once a user has found an Integration to Install, they will select the Integration, by clicking Install. Users will see a popup showing the Integration is complete. Once an Integration is complete, users will see that the Install button has be replaced with a Configure button. User will select Configure. A Configure Instance popup will appear, that will display the following fields: Environment Instance Name Description Parameters API Key Verify SSL Users will have the option to Test the Instance, by selecting the Test button. Once complete, users will select Save. Note: Users can make changes at a later stage if needed. Once configured, the instances can be used in Playbooks. Relevant Documentation Links [All Steps] https://cloud.google.com/chronicle/docs/soar/respond/integrations-setup/configure-integrations

Marketplace Power-Ups

The Google SecOps Marketplace acts as the customer's toolbox, holding a wide range of utilities and options to choose from. The Marketplace also contains a repository for predefined Use Cases, Power Ups that enhance Playbook capabilities, and Analytics that provide valuable insights.

Steps

To begin users will go to the left-side Navigation Bar and then select Marketplace, that will display the Google SecOps Marketplace page.
Users will also see three tabs to select from, consisting of:
1. Use Cases
2. Integrations
3. Power Ups
In the Marketplace page, users will see a Search bar at the top-right of the page, to Search for Power Ups.
Users will select Power Ups, which will display many pre-defined Power Ups at the bottom of the page.
Users will have the option to filter the list of Power Ups by selecting by Status, using the following options:
1. Installed
2. Not Installed
3. Available Upgrade
Users can read the Details of each Power Up by selecting the Details button.
Once a user has found an Power Up to Install, they will select the Power Up, by clicking Install.
Users will see a popup showing the Integration is complete.
Once an Power Up is complete, users will see that the Install button has be replaced with a Configure button. User will select Configure.
A Configure Instance popup will appear, that will display the following fields:
1. Environment
2. Instance Name
3. Description
Users will have the option to Test the Instance, by selecting the Test button.
Once complete, users will select Save.

Relevant Documentation Links

[All Steps] https://cloud.google.com/chronicle/docs/soar/marketplace/using-the-marketplace

Steps To begin users will go to the left-side Navigation Bar and then select Marketplace, that will display the Google SecOps Marketplace page. Users will also see three tabs to select from, consisting of: Use Cases Integrations Power Ups In the Marketplace page, users will see a Search bar at the top-right of the page, to Search for Power Ups. Users will select Power Ups, which will display many pre-defined Power Ups at the bottom of the page. Users will have the option to filter the list of Power Ups by selecting by Status, using the following options: Installed Not Installed Available Upgrade Users can read the Details of each Power Up by selecting the Details button. Once a user has found an Power Up to Install, they will select the Power Up, by clicking Install. Users will see a popup showing the Integration is complete. Once an Power Up is complete, users will see that the Install button has be replaced with a Configure button. User will select Configure. A Configure Instance popup will appear, that will display the following fields: Environment Instance Name Description Users will have the option to Test the Instance, by selecting the Test button. Once complete, users will select Save. Relevant Documentation Links [All Steps] https://cloud.google.com/chronicle/docs/soar/marketplace/using-the-marketplace

Next Step: Security Operations: Step 3 - Detect

Previous Step: Security Operations: Step 2.1 - Ingestion | Configure Data Ingest

The Google Cloud Security Community will be in read-only mode July 16 - July 22 as we migrate platforms.

Read more and check out our FAQ.