This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
Log in to ask a question
Log in to ask a question

Common use case for SOAR playbooks

Posted on 01-17-2025 09:28 AM
Gcpsecops
Bronze 3
Bronze 3
Reply posted on --/--/---- --:-- AM

We are new to SecOps SOAR. With the SOC team deployed who is monitoring the alerts manually, we like to know what are the common playbooks that every environment should have? Can someone share a list or share use cases to make rhe best use of SOAR platform?

 

We have data sources from AWS, GCP, GWS, AZURE, SentinelOne. 

0 3 514
Topic Labels
0 Likes
3 REPLIES 3

Posted on --/--/---- --:-- AM
ErikaB
Community Manager
Community Manager
Reply posted on --/--/---- --:-- AM

Hi @Gcpsecops

While every environment is unique, here's a list of some common playbooks that may be helpful: 

 

  • Catch-All: This is your basic, all-purpose playbook. It handles the essentials like gathering information and figuring out what's going on. If an alert doesn't have a specific playbook, it goes here.

  • Phishing Fighter: This one tackles phishing emails. It automatically checks if an email is legit and takes action, like quarantining it or blocking bad links.

  • Endpoint Protector: Keeps your computers safe. It handles alerts from your endpoint security tools.

  • Identity Guardian: This one watches over your user accounts. It checks for suspicious logins, resets passwords, and can even block compromised accounts.

  • Network Ninja: This playbook is all about network security. It handles things like intrusions and suspicious traffic.

  • Cloud Captain: If you use cloud services, this one's for you. It deals with unauthorized access and other issues in your cloud environment.

Don't forget to check out the Google SecOps Marketplace for pre-built playbooks and integrations that can save you time. And if you need more info, the Google SecOps documentation has you covered. Good luck!

 

Posted on --/--/---- --:-- AM
Gcpsecops
Bronze 3
Bronze 3
In response to ErikaB
Reply posted on --/--/---- --:-- AM
These common playbooks are those we need to build or you are saying these
are available in the Marketplace? Our environment has GCP Audit Logs, AWS
Audit trail, Azure/O365, SentinelOne, GWS logs and a lot of curated
detections. Right now we have only integration for case notification email.
But we like to leverage as much as integrations to automate and streamline
SOAR processes.
0 Likes

Posted on --/--/---- --:-- AM
TonyH
Staff
Reply posted on --/--/---- --:-- AM

Hello,

You can find a list of run use cases in the SOAR Marketplace [1]

Reference:

[1] https://cloud.google.com/chronicle/docs/soar/marketplace/run-use-cases

0 Likes
Top Solution Authors
View all