Navigate the Google Security Operations platform
When you access the Google Security Operations platform, your view depends on the permission groups that you're assigned to. The sliding left navigation bar is customized for you based on your permissions.
To navigate around the platform, hold the pointer over the sliding left navigation bar and then click to access all of the Google Security Operations screens.
| What do you want to do? | Where can you find it? |
|---|---|
|
Manage all the incoming cases in the platform |
Cases |
| View tailored actions and tasks that you need to complete on cases | Your Workdesk |
|
Search holistically across the entire platform |
Investigation > SIEM Search |
| Search for cases and entities |
Investigation > SOAR Search |
|
Manage your SIEM rules and detections in the dashboard, editor and
curated detections |
Detection > Rules > Detections |
| View SIEM alerts and IOC matches |
Detection > Alerts > IOCs |
| View risk scores and trends derived from SIEM |
Detection > Risk Analytics |
| Design automated sequence of actions to start as soon as the relevant alert enters the platform | Response > Playbooks |
| Configure integrations for different instances | Response > Integrations Setup |
| Edit predefined jobs or create new jobs that can be scheduled to run periodically | Response > Jobs Scheduler |
| Edit the code of commercial integrations or create custom integrations | Response > IDE |
|
Look at analysis and reporting based on UDM events |
Dashboard and Reports > SIEM Dashboards |
| Access and analyze information on cases, playbooks, environments, etc |
Dashboard and Reports > SOAR Dashboards |
| View both predefined Google Security Operations SOAR reports and advanced reports using Looker |
Dashboard and Reports > SOAR Reports |
| Highlight an incident as a crisis situation and create a dedicated space to handle it | Incident Manager |
|
Install third-party integrations plus use cases and power ups for the
platform |
Google Security Operations Marketplace |
| Manage administration tasks, ingestion, and parsing configuration for SIEM | Settings > SIEM Settings |
|
Manage all the admin tasks and configuration for SOAR features |
Settings > SOAR Settings |
SIEM Settings
| What do you want to do? | Where can you find it? |
|---|---|
| View details about users and the organization. | Profile |
| View all the users and groups in the SIEM side of the platform |
Users & Groups |
| View the roles and permissions for the SIEM components of the platform | Roles |
| Configure and view SIEM feeds | Feeds |
| Configure and view SIEM forwarders | Forwarders |
| Manage parsers and parser extensions | Parsers |
| View associated Google Cloud Platform project information |
Google Cloud Platform |
| Manage Role-based access control for SIEM users |
Data RBAC |
| Setup Google Workspace to forward data to Google Security Operations |
Workspace Attach |
SOAR Settings
| What do you want to do? | Where can you find it? |
|---|---|
| View all the users in the Google SecOps platform | Organization > User Management |
| Define environments | Organization > Environments |
| Manage permissions and restrictions for different user groups | Organization > Permissions |
| View your license details and the current SOAR version | Organization > License Management |
| Add or edit roles for security teams to control access to cases and environments | Organization > Roles |
| Add and manage tags that are added automatically to cases | Case Data > Tags |
| Define the different stages of a case that are used by your organization | Case Data > Stages |
| Define root causes for closing a case, whether it was malicious or not and what was the actual cause | Case Data > Case Close Root Causes |
| Set the case name hierarchy | Case Data > Case Name |
| Define default case and alert views using widgets | Case Data > Views |
|
Generate API key to interact with the Google Security Operations API |
Advanced > API Keys |
| Take a look at all user activities in the platform | Advanced > Audit |
| Set policies for data retention and handling cases between environments | Advanced > General |
| Manage and configure the default time zones and date and time formats | Advanced > Localization |
| Define rules for grouping alerts and for overflow cases | Advanced > Alerts Grouping |
| Map IdP groups to SOAR user groups, SOC roles and permission groups | Advanced > IDP Group Mapping |
| Set up and manage remote agents | Advanced >Remote Agents |
| Configure the email address from which all SOAR system emails are sent | Advanced > Email Settings |
| Allow Google Support to access your platform | Advanced > Support Access |
| View property definitions for ingested data | Data Configuration > Properties Metadata |
| View statistics on the platform | Data Configuration > Statistics |
| Manage and configure visual family matches to specific products and events | Ontology > Ontology Status |
| Manage, edit, and create visual families | Ontology > Visual Families |
| Define environments in the platform | Environments > Networks |
| Define domains | Environments > Domains |
|
Define custom lists consisting of users, IPs, and other entities |
Environments > Custom Lists |
|
Define email templates to be used in playbooks and other actions |
Environments > Email templates |
|
Define email HTML templates to be used in playbooks and other actions |
Environments > Email HTML templates |
| Define entities in alerts that shouldn't be grouped or entities that shouldn't be displayed | Environments > Blocklist |
| Define SLAs for resolving cases and alerts according to specific SLA triggers | Environments > SLA |
| Define requests for users to choose from in their workdesk | Environments > Requests |
|
Manage departments that Incident Manager users are associated with |
Incident Manager > Departments |
| Define the users added as collaborators for every incident in the Incident Manager | Incident Manager > Auditors |
| Define which environments are authorized to have their cases handled in the incident manager | Incident Manager > Environments |
| Set up connectors to ingest alerts into the platform | Ingestion > Connectors |
| Set up webhooks to ingest alerts into the platform | Ingestion > Webhooks |