+2We are new to SecOps SOAR. With the SOC team deployed who is monitoring the alerts manually, we like to know what are the common playbooks that every environment should have? Can someone share a list or share use cases to make rhe best use of SOAR platform?
We have data sources from AWS, GCP, GWS, AZURE, SentinelOne.
+10Hi @Gcpsecops
While every environment is unique, here's a list of some common playbooks that may be helpful:
Catch-All: This is your basic, all-purpose playbook. It handles the essentials like gathering information and figuring out what's going on. If an alert doesn't have a specific playbook, it goes here.
Phishing Fighter: This one tackles phishing emails. It automatically checks if an email is legit and takes action, like quarantining it or blocking bad links.
Endpoint Protector: Keeps your computers safe. It handles alerts from your endpoint security tools.
Identity Guardian: This one watches over your user accounts. It checks for suspicious logins, resets passwords, and can even block compromised accounts.
Network Ninja: This playbook is all about network security. It handles things like intrusions and suspicious traffic.
Cloud Captain: If you use cloud services, this one's for you. It deals with unauthorized access and other issues in your cloud environment.
Don't forget to check out the Google SecOps Marketplace for pre-built playbooks and integrations that can save you time. And if you need more info, the Google SecOps documentation has you covered. Good luck!
+2Hi @Gcpsecops
While every environment is unique, here's a list of some common playbooks that may be helpful:
Catch-All: This is your basic, all-purpose playbook. It handles the essentials like gathering information and figuring out what's going on. If an alert doesn't have a specific playbook, it goes here.
Phishing Fighter: This one tackles phishing emails. It automatically checks if an email is legit and takes action, like quarantining it or blocking bad links.
Endpoint Protector: Keeps your computers safe. It handles alerts from your endpoint security tools.
Identity Guardian: This one watches over your user accounts. It checks for suspicious logins, resets passwords, and can even block compromised accounts.
Network Ninja: This playbook is all about network security. It handles things like intrusions and suspicious traffic.
Cloud Captain: If you use cloud services, this one's for you. It deals with unauthorized access and other issues in your cloud environment.
Don't forget to check out the Google SecOps Marketplace for pre-built playbooks and integrations that can save you time. And if you need more info, the Google SecOps documentation has you covered. Good luck!
Hello,
You can find a list of run use cases in the SOAR Marketplace [1]
Reference:
[1] https://cloud.google.com/chronicle/docs/soar/marketplace/run-use-cases
Enter your E-mail address. We'll send you an e-mail with instructions to reset your password.
