Security Operations: Step 5.1 - Respond | Response

GCSCommunity · ‎10-30-2024

Actions

Work w/Playbooks

Google SecOps Response function provides the analysts a way to respond to cyber threats in minutes, not days. Enable modern, fast, and effective response by combining low-code automation with powerful collaboration.

A playbook is built on triggers, actions, and flows. Once it is triggered, the playbook moves along the actions to a final resolution.

Steps

Users will navigate to the left-side Navigation Bar and then select Response dropdown menu, then select Playbooks.
At the top-left of the page, users can select from a dropdown menu, that allows users to choose:
1. Show All
2. Playbooks
3. Blocks
Next users can select Menu. Before clicking on the menu icon to perform bulk actions, make sure to click the edit icon and select the required Playbooks or Blocks. Clicking on the Menu opens up the following actions:
1. New Folder
2. Duplicate
3. Change Priority
4. Export
5. Import
6. Move To
7. Delete
New Folder allows users to add new Playbook Folders.
Duplicate allows users to create a Duplicate Playbook with the following options:
1. Keep or change Priority
2. Keep in same Folder or move to a different Folder
3. Choose Environments it belongs to. Options include single or multiple Environments or All Environments, where all means all defined Environments as well as Environments that will be defined in the future.
Change Priority allows users to change Priority level.
Export and Import is useful for sending both Playbooks and Playbook Blocks from staging to production server and the other way around. The Playbooks will be Exported or Imported with their customized views attached. The system only recognizes zip files for Import.
Move To allows users to move Playbooks and Blocks to another Folder or even create a new Folder from this option.
Delete allows users to Delete Playbooks and Blocks.
To the right of Menu, are additional options:
1. Filter
2. Edit
3. Add New Playbook or Block
Filter allows users to:
1. Turn on Playbook Simulator
2. Show Active Playbooks
3. Set Priority
4. Choose Environments
Edit allows users to select single or multiple Playbooks and Blocks to Edit the Playbook or Block names.
Add New Playbook or Block allows users to:
1. Select the type of Playbook or Block
2. Choose Folder
3. Choose Environment
Also in the top-left, below the Menu and Playbook options, is a Search function, that allows users to Search for Playbooks or Blocks.
At the top of main section of the Playbooks page, users will see the top bar of the Playbook Designer.
At the top segment of the Playbook Designer pane, users can use the horizontal toggling button to enable or disable the Playbook. In that pane, users can access:
1. Playbook or Block details
2. Description
3. Toggle Activating Playbook Simulator
4. Playbook Priority
5. Version Control
6. Configure Who Can See or Edit Playbook
7. Playbook
In the Playbook Simulator, users will have the following features:
1. Open Step Selection, with available options:
  - Triggers
  - Actions
  - Flow
  - Blocks
2. Fit to Screen
3. Revert to Default Arrangement
4. Zoom In (Steps)
5. Download as PNG File
6. Undo Changes
7. Redo Changes
8. Playbook Monitoring (Statistics)
9. Playbook Navigator (All Actions and Flows)
10. Edit w/ Gemini (AI)

Relevant Documentation Links

[All Steps] https://cloud.google.com/chronicle/docs/soar/respond/working-with-playbooks/whats-on-the-playbooks-s...

Steps Users will navigate to the left-side Navigation Bar and then select Response dropdown menu, then select Playbooks. At the top-left of the page, users can select from a dropdown menu, that allows users to choose: Show All Playbooks Blocks Next users can select Menu. Before clicking on the menu icon to perform bulk actions, make sure to click the edit icon and select the required Playbooks or Blocks. Clicking on the Menu opens up the following actions: New Folder Duplicate Change Priority Export Import Move To Delete New Folder allows users to add new Playbook Folders. Duplicate allows users to create a Duplicate Playbook with the following options: Keep or change Priority Keep in same Folder or move to a different Folder Choose Environments it belongs to. Options include single or multiple Environments or All Environments, where all means all defined Environments as well as Environments that will be defined in the future. Change Priority allows users to change Priority level. Export and Import is useful for sending both Playbooks and Playbook Blocks from staging to production server and the other way around. The Playbooks will be Exported or Imported with their customized views attached. The system only recognizes zip files for Import. Move To allows users to move Playbooks and Blocks to another Folder or even create a new Folder from this option. Delete allows users to Delete Playbooks and Blocks. To the right of Menu, are additional options: Filter Edit Add New Playbook or Block Filter allows users to: Turn on Playbook Simulator Show Active Playbooks Set Priority Choose Environments Edit allows users to select single or multiple Playbooks and Blocks to Edit the Playbook or Block names. Add New Playbook or Block allows users to: Select the type of Playbook or Block Choose Folder Choose Environment Also in the top-left, below the Menu and Playbook options, is a Search function, that allows users to Search for Playbooks or Blocks. At the top of main section of the Playbooks page, users will see the top bar of the Playbook Designer. At the top segment of the Playbook Designer pane, users can use the horizontal toggling button to enable or disable the Playbook. In that pane, users can access: Playbook or Block details Description Toggle Activating Playbook Simulator Playbook Priority Version Control Configure Who Can See or Edit Playbook Playbook In the Playbook Simulator, users will have the following features: Open Step Selection, with available options: Triggers Actions Flow Blocks Fit to Screen Revert to Default Arrangement Zoom In (Steps) Download as PNG File Undo Changes Redo Changes Playbook Monitoring (Statistics) Playbook Navigator (All Actions and Flows) Edit w/ Gemini (AI) Relevant Documentation Links [All Steps] https://cloud.google.com/chronicle/docs/soar/respond/working-with-playbooks/whats-on-the-playbooks-screen

Integrations Setup

Google SecOps provides the analysts a way to respond to cyber threats in minutes, not days. Enable modern, fast, and effective response by combining low-code automation with powerful collaboration.

Integrations are packages that can be installed from the Google SecOps Marketplace. When you install an integration, you are adding connectors, playbook actions and scheduled jobs. These are all able to connect Google SecOps with third-party products in order to perform tasks.

Steps

Integrations are configured under Integrations Setup. Users will navigate to the left-side Navigation Bar and then select Response dropdown menu, then select Integrations Setup.
At the top-left of the page, users will see side panel with two predefined options: Default Environments and Shared Instances, that contains the user’s Integrations.
In the side panel, users will have the options:
1. Hide Empty Environments
2. Filter Environments
  - Environments
  - Integrations
  - Configured
  - Remote Integrations
3. Search Bar
4. List of Environments and Instances
In the main page of each Environments option, users will be able to see their Integrations, to include the following options:
1. Search Field
2. Create a New Instance
3. Read More (about the Integration)
4. Configured/ Not Configured
5. Configure Instance
6. Delete Instance
If a user needs to Configure an Instance, click the Configure Instance button. In both current or new Instances, users can configure the following sections:
1. Instance Name
2. Description
3. Parameters
  - The Parameters has several options available depending on the Instance.
4. Test
5. Save

Relevant Documentation Links

[All Steps] https://cloud.google.com/chronicle/docs/soar/respond/integrations-setup/configure-integrations

Steps Integrations are configured under Integrations Setup. Users will navigate to the left-side Navigation Bar and then select Response dropdown menu, then select Integrations Setup. At the top-left of the page, users will see side panel with two predefined options: Default Environments and Shared Instances, that contains the user’s Integrations. In the side panel, users will have the options: Hide Empty Environments Filter Environments Environments Integrations Configured Remote Integrations Search Bar List of Environments and Instances In the main page of each Environments option, users will be able to see their Integrations, to include the following options: Search Field Create a New Instance Read More (about the Integration) Configured/ Not Configured Configure Instance Delete Instance If a user needs to Configure an Instance, click the Configure Instance button. In both current or new Instances, users can configure the following sections: Instance Name Description Parameters The Parameters has several options available depending on the Instance. Test Save Relevant Documentation Links [All Steps] https://cloud.google.com/chronicle/docs/soar/respond/integrations-setup/configure-integrations

Using IDE

Google SecOps provides the analysts a way to respond to cyber threats in minutes, not days. Enable modern, fast, and effective response by combining low-code automation with powerful collaboration.

Integrated Development Environment (IDE) production mode. The IDE is a framework for viewing, editing, and testing code. It allows you to view the code of commercial integrations and to create custom integrations from scratch or by duplicating commercial integrations code. In addition – this is the place to manage, import and export custom integrations.

Steps

Integrations are configured under Integrations Setup. Users will navigate to the left-side Navigation Bar and then select Response dropdown menu, then select IDE.
At the top-left of the page, users will see side panel, where they select the following options:
1. Toggle for Staging and Production mode
2. Import/ Export
3. Create New Item
4. Integration Types
5. Search Bar
Users who want to choose an item, will select between Integrations or Types, which includes a pre-defined list of:
1. Integrations
2. Connectors
3. Actions
4. Jobs
5. Managers
To create a Connector, users will click Create New Item and select Connector. Enter a Connector Name and the required Integration, then click Create.
To create an Action, users will click Create New Item and select Action. Enter an Action Name, the required Integration, and Action Type, then click Create.
To create a Job, users will click Create New Item and select Job. Enter a Job Name and the required Integration, then click Create.
To create an Integration, users will click Create New Item and select Integration. Enter an Integration Name and then click Create.
To create a Manager, users will click Create New Item and select Manager. Enter a Manager Name and the required Integration, then click Create.
Each Integration Type, custom or commercial, can be edited in the Integrated Development Environment. Users can select an Integration, in the IDE Sidebar, then the Integration will appear in IDE page.
Users will be able to:
1. Disable/ Enable
2. See Integration Name
3. See Integration Description
4. Use the IDE Editor
5. Play Item
6. Manage JSON Sample
7. Duplicate/ Delete Item
Additionally, to the right of the IDE Editor, users will be able to observe:
1. Integration Details
2. Dynamic List
3. Testing Parameters & Results
4. Debug Output
Once an Integration has been tested, reviewed and completed, users will select Save.
Users will be able to Enable the Integration, and move the Integration from Production to Staging, via the Staging/ Production Toggle at the top of the IDE Sidebar.

Relevant Documentation Links

[All Steps] https://cloud.google.com/chronicle/docs/soar/respond/ide/using-the-ide

Steps Integrations are configured under Integrations Setup. Users will navigate to the left-side Navigation Bar and then select Response dropdown menu, then select IDE. At the top-left of the page, users will see side panel, where they select the following options: Toggle for Staging and Production mode Import/ Export Create New Item Integration Types Search Bar Users who want to choose an item, will select between Integrations or Types, which includes a pre-defined list of: Integrations Connectors Actions Jobs Managers To create a Connector, users will click Create New Item and select Connector. Enter a Connector Name and the required Integration, then click Create. To create an Action, users will click Create New Item and select Action. Enter an Action Name, the required Integration, and Action Type, then click Create. To create a Job, users will click Create New Item and select Job. Enter a Job Name and the required Integration, then click Create. To create an Integration, users will click Create New Item and select Integration. Enter an Integration Name and then click Create. To create a Manager, users will click Create New Item and select Manager. Enter a Manager Name and the required Integration, then click Create. Each Integration Type, custom or commercial, can be edited in the Integrated Development Environment. Users can select an Integration, in the IDE Sidebar, then the Integration will appear in IDE page. Users will be able to: Disable/ Enable See Integration Name See Integration Description Use the IDE Editor Play Item Manage JSON Sample Duplicate/ Delete Item Additionally, to the right of the IDE Editor, users will be able to observe: Integration Details Dynamic List Testing Parameters & Results Debug Output Once an Integration has been tested, reviewed and completed, users will select Save. Users will be able to Enable the Integration, and move the Integration from Production to Staging, via the Staging/ Production Toggle at the top of the IDE Sidebar. Relevant Documentation Links [All Steps] https://cloud.google.com/chronicle/docs/soar/respond/ide/using-the-ide

Jobs Scheduler

Google SecOps provides the analysts a way to respond to cyber threats in minutes, not days. Enable modern, fast, and effective response by combining low-code automation with powerful collaboration.

The Jobs Scheduler page contains default Google SecOps jobs, as well as jobs that are created in the IDE and are essentially scripts that can be scheduled to run periodically. Jobs can access data in all environments.

Steps

Jobs are configured under Jobs Scheduler. Users will navigate to the left-side Navigation Bar and then select Response dropdown menu, then select Jobs Scheduler.
At the top-left of the page, users will see side panel with the following options:
1. Refresh
2. Show All/ Hide Inactive
3. Create New Job
4. Search Field
5. Expand/ Collapse List
6. Jobs List
When a user wants to display current Jobs, whether Active/ Inactive, click on a Job and the selected Job page will appear.
The Job page will consist of the following information:
1. Job Activation Toggle
2. Job Name
3. Job Creation Date/ Time
4. Job Description
5. Job Menu
  - Download Job
  - Delete Job
6. Save Job
7. Job Details
8. Job Parameters
9. Job History
10. Run Now (Run Job)
To create a New Job, users will go into the Jobs Sidebar, and select Create New Job. This will display the Add Job popup.
In the Add Job popup, users can select a Job they created in the IDE and click Save.

Relevant Documentation Links

[All Steps] https://cloud.google.com/chronicle/docs/soar/working-with-remote-agents/set-up-integrations-and-conn...

Steps Jobs are configured under Jobs Scheduler. Users will navigate to the left-side Navigation Bar and then select Response dropdown menu, then select Jobs Scheduler. At the top-left of the page, users will see side panel with the following options: Refresh Show All/ Hide Inactive Create New Job Search Field Expand/ Collapse List Jobs List When a user wants to display current Jobs, whether Active/ Inactive, click on a Job and the selected Job page will appear. The Job page will consist of the following information: Job Activation Toggle Job Name Job Creation Date/ Time Job Description Job Menu Download Job Delete Job Save Job Job Details Job Parameters Job History Run Now (Run Job) To create a New Job, users will go into the Jobs Sidebar, and select Create New Job. This will display the Add Job popup. In the Add Job popup, users can select a Job they created in the IDE and click Save. Relevant Documentation Links [All Steps] https://cloud.google.com/chronicle/docs/soar/working-with-remote-agents/set-up-integrations-and-connectors?hl=en

Next Step: Security Operations: Step 5.2 - Respond | Dashboard and Report

Previous Step: Security Operations: Step 5: Respond

Webinar May 29th: Log Ingestion: Bindplane + Google SecOps