Skip to main content

Table of Contents

 

149414iAF3DAE7D2643E1E4.png

134312i0A2827CC7FBD2582.png

Investigation

Google SecOps lets you investigate many different aspects of the information stored in your Google SecOps account. SecOps Investigation lets you to examine the aggregated security information for your enterprise going back for months or longer. Use Google SecOps to search across all of the domains accessed within your enterprise.

 

134336i706ED1CD7A936891.png

SIEM Search

The SIEM Search function lets you find events and alerts within your Google SecOps instance. SIEM Search includes a variety of search options that help you to navigate through your data. You can search for individual events and groups of events tied to shared search terms.

 

Steps
  1. Users will navigate to the left-side Navigation Bar and then select Investigation, which will display a dropdown menu.
  2. Select SIEM Search to display the SIEM Search page. 
  3. On the SIEM Search page, users will be able to see a Search Query bar at the top of the page. Users can enter questions in natural language form.
    1. Example: “Find Externally Shared Documents with Confidential in the Title.”
  4. Once a Query is entered, users will select Generate Query134373iC820F1D34B764311.png
  5. The Query will appear in the Terminal box below Search Query, showing Field and Operator.
  6. At the main part of the page, users will see the following options:
    1. Your Search History
    2. Your Saved Searches
    3. Searches Shared With You
  7. Users will have the following options:
    1. Search History (Open Search Manager)
      134374iA1668D72D2FA8164.png
    2. UDM Lookup
    3. Lists 
    4. Feedback on Generated Query
    5. Rewrite Query
    6. Case Sensitivity
    7. Date/ Time Range
    8. Run Search
  8. Once a Query has been generated, users will see three tabs in the main section of the page:
    1. Overview
    2. Events
    3. Alerts
  9. If there are results, a number value will appear next to each section tab.
  10. Overview tab results will show entity Overview data.
  11. Events tab results will show the following details:
    1. Trend Over Time
    2. Prevalence
    3. Filter Options
    4. Aggregations
      • Grouped Fields
      • UDM Fields
    5. Events
      • Timestamp
      • Event
      • User
      • Hostname
      • Process Name
    6. Search Events
  12. To Search for Events, users will enter a query into the Search Events field and select Apply To Search and Run button.
  13. If an event is selected, users will see an Event Viewer to the right of the Event, consisting of:
    1. Entities
    2. UDM Fields
    3. Raw Log w/ option to Manage Parser.
  14. Under the Events Results section, users can download the Queried Events by selecting the Download as CSV button.
Relevant Documentation Links

 

 

134337i83610617F081AA6C.png

SOAR Search

The SOAR Search page lets you find specific cases or entities indexed by Google SecOps SOAR. Google SecOps SOAR stores all case and entity information from cases, giving you the ability to retrieve information that may be relevant for what you are investigating. 

 

Steps
  1. Users will navigate to the left-side Navigation Bar and then select Investigation, which will display a dropdown menu.
  2. Select SOAR Search to display the SOAR Search page.
  3. On the SIEM Search page, users will be able to see a Search Query bar at the top of the page. Users can enter questions in natural language form.
    1. Example: “Find Externally Shared Documents with Confidential in the Title.”
  4. Once a Query is entered, users will select Generate Query134373iC820F1D34B764311.png
  5. The Query will appear in the Terminal box below Search Query, showing Field and Operator.
  6. At the main part of the page, users will see the following options:
    1. Your Search History
    2. Your Saved Searches
    3. Searches Shared With You
  7. Users will have the following options:
    1. Search History (Open Search Manager)
      134374iA1668D72D2FA8164.png
    2. UDM Lookup
    3. Lists 
    4. Feedback on Generated Query
    5. Rewrite Query
    6. Case Sensitivity
    7. Date/ Time Range
    8. Run Search
  8. Once a Query has been generated, users will see three tabs in the main section of the page:
    1. Overview
    2. Events
    3. Alerts
  9. If there are results, a number value will appear next to each section tab.
  10. Overview tab results will show entity Overview data.
  11. Events tab results will show the following details:
    1. Trend Over Time
    2. Prevalence
    3. Filter Options
    4. Aggregations
      • Grouped Fields
      • UDM Fields
    5. Events
      • Timestamp
      • Event
      • User
      • Hostname
      • Process Name
    6. Search Events
  12. To Search for Events, users will enter a query into the Search Events field and select Apply To Search and Run button.
  13. If an event is selected, users will see an Event Viewer to the right of the Event, consisting of:
    1. Entities
    2. UDM Fields
    3. Raw Log w/ option to Manage Parser.
  14. Under the Events Results section, users can download the Queried Events by selecting the Download as CSV button.
Relevant Documentation Links

 

 

Posture Management

The Posture Management dashboard helps you define, assess, and monitor the security of your resources. They help uncover policy drift, and detect misconfigurations. Maintain your organization’s security standards by applying postures to resources in a folder, project, or across your organization.

 
Posture Overview

The Posture Management dashboard helps you define, assess, and monitor the security of your resources. They help uncover policy drift, and detect misconfigurations. Maintain your organization’s security standards by applying postures to resources in a folder, project, or across your organization.

 

Steps
  1. Users will see the Posture Management dashboard, with three tabs available:
    1. Postures
    2. Templates
    3. Resource Groups
  2. In the Posture tab, users will see a Filter option that will provide users with the following Properties options:
    1. Name
    2. Posture Type
    3. Latest Revision ID
    4. Status
    5. Policy Sets
    6. Policies
    7. Create Time 
    8. Update Time 
    9. Categories
  3. At the top-right of the Postures list, users will see a Columns option 134376iE2118A61A0D4509D.png with the same options as the Filters Properties options:
    1. Name
    2. Posture Type
    3. Latest Revision ID
    4. Status
    5. Policy Sets
    6. Policies
    7. Create Time 
    8. Update Time 
    9. Categories
Relevant Documentation Links

 

 
Findings

The Posture Management dashboard helps you define, assess, and monitor the security of your resources. They help uncover policy drift, and detect misconfigurations. Maintain your organization’s security standards by applying postures to resources in a folder, project, or across your organization.

 

Steps
  1. In the Templates tab, users will see a Filter option that will provide users with the following Properties options:
    1. Name
    2. Latest Revision ID
    3. Status
    4. Policy Sets
    5. Policies
    6. Categories
  2. At the top-right of the Templates list, users will see a Columns option 134377i61F15717FDA91977.png with the same options as the Filters Properties options:
    1. Name
    2. Latest Revision ID
    3. Status
    4. Policy Sets
    5. Policies
    6. Categories
  3. If users select a Template by clicking the Display Name, they will see a Posture Template Details page of the selected Template with the following:
    1. Template Details
    2. Policy Sets
  4. In the Policy Sets section, users will see a Filters option that will provide users with the following Policy Sets options:
    1. Policy Sets
    2. Policy Name
    3. Type
    4. Description
    5. Enforcement Type
    6. Standard
  5. In the Policy Sets section, users will see the following Columns:
    1. Policy Sets
    2. Policy Name
    3. Type
    4. Description
    5. Enforcement Type
    6. Standard
    7. Constraint
  6. Under the Constraint column, users will be able to View Constraint Details. 134378iF20414502E5E17BC.png
  7. The Constraint Details panel that appears is a Read Only JSON version.
Relevant Documentation Links

 

 
Resource Groups

The Posture Management dashboard helps you define, assess, and monitor the security of your resources. They help uncover policy drift, and detect misconfigurations. Maintain your organization’s security standards by applying postures to resources in a folder, project, or across your organization.

 

Steps
  1. In the Resource Groups tab, users will see a Filters option that will provide users with the following Resource Groups options:
    1. Name
    2. Data Assets
    3. Created On
    4. Created Before
    5. Created After
  2. At the top-right of the Resource Groups list, users will see a Columns option 134379iF16A54E62A5EB582.png with the same options as the Filters Properties options:
    1. Name
    2. Data Assets
    3. Posture
    4. Created On
  3. If users select a Resource Group, by clicking the Display Name, they will see a Resource Group Details page of the selected Resource Group, with the following:
    1. Resource Details
    2. Data Assets
  4. At the top of the Resource Group Details page users will see the following options:
    1. Remove From Posture
    2. Delete
  5. In the Data Assets section, users will see a Filters option that will provide users with the following Data Assets options:
    1. Name
    2. Project
    3. Location
    4. Asset Type
  6. At the top-right of the Data Assets list, users will see a Columns option 134380iA878D8960EE43A66.png with the same options as the Filters Properties options:
    1. Name
    2. Project
    3. Location
    4. Asset Type
Relevant Documentation Links

 

 

Investigate Cases & Alerts

Google SecOps ingests alerts from a variety of sources. Each alert is ingested with its underlying base security events. Those security events are analyzed, and their indicators, such as sources, destinations, and artifacts, are extracted into objects called entities. Each entity stored in the platform starts collecting data on it, including comments, enrichment data, and reports, allowing analysts yo review this history when handling future cases involving that entity.

 

134338i555E2B9C7405242A.png

Working Cases

Google SecOps Cases provides the analysts a way to investigate the incoming security alerts and safeguard workstations. Analysts can create manual cases and simulated cases and ingest specific data.

 

Steps
  1. Users will navigate to the left-side Navigation Bar and then select Cases.
  2. On the top-left of the Cases page, users will see several options to navigate through Cases:
    1. Cases View Selection 134381i9150B9958A9AFE7B.png
    2. Refresh Cases 134382iF98D05A810E85837.png
    3. Switch to Default Mode 134383iAADDEAFE660E145C.png
    4. Sort By 134384i2FDE1372FFB9773F.png
    5. Cases Filter 134385i1DF2F6ACD6DF8EDB.png
    6. Search Case Name
  3. When users select the Cases Filter, users will see a Case Queue Filter popup, which will display the following sections/ fields:
    1. Parameters
    2. Logical Operator
    3. Add Criteria
    4. Save Filter
  4. When a Case is shown as a result, it will appear in the left-side bar.
  5. When a Case is selected, a popout page will appear.
  6. Cases will have an assigned:
    1. Case ID Number 134386i2BABF7880D5F036D.png
    2. Environment
    3. Tier designation 134387i2E50E14F3E70ECE3.png
    4. Date/ Time Range
  7. At the top of the Case page, users will also see the following options:
    1. Incident
    2. Close Case 
    3. Case Actions 
    4. Manage Tags
  8. Each Case will have three views:
    1. Overview 134388i4579896813C03B50.png
    2. Case Wall 134389i5183EECC5A97CC4E.png
    3. Case Details 134390iA5719C878DBC963B.png
  9. To the right of each View are the following options:
    1. Manual Action 134391i2F4CE849398754CF.png
    2. Case Tasks 134392i0E9CFA33F6CD94E9.png
    3. Alert Options (only in Case Details view) 134393iD76B1B5595FC7BFE.png
  10. In the Case Overview, users will see a Finding Summary of the of the Case, consisting of:
    1. Name
    2. Finding Description
    3. The Next Steps You Should Take
  11. There are additional sections below consisting of:
    1. Finding State
    2. Pending Actions
    3. Alerts
    4. Entities Graph
    5. Entities Highlights
    6. Latest Case Wall Activity
    7. Recommendations
    8. Statistics
    9. Comment Section 134394i0DC0724A1F627D2D.png
      • Option to Attach File
  12. The Case Wall view will allow users to view the Case Details:
    1. Actions
    2. Status Changes
    3. Tasks
    4. Comments
    5. Insights
    6. Pinned Chat Messages
    7. Favorites
      • Each Case Detail can be marked as a Favorite.
  13. There are Filter options in Case Wall view:
    1. Alert Type
    2. User
    3. Sort By Date/ Time
  14. The Case Details view has four tab options:
    1. Overview
    2. Events
    3. Playbooks
    4. Graph
  15. The Overview  tab in Case Details will display information consisting of:
    1. Finding Summary of the of the Case, consisting of:
      • Name
      • Finding Description
      • The Next Steps You Should Take
      • Detection Time
      • State
      • Severity
      • Resource Type
      • Resource Path
      • Owner
    2. Comment Section
      • Option to Attach File
    3. Events
  16. The Events tab will display a list of Events, consisting of:
    1. Name
    2. Type
    3. Source/ Product
    4. Artifacts
    5. Port
    6. Outcome
    7. Time
    8. Option to Configure Event
  17. Under the Playbooks tab, users will see the following options:
    1. Refresh
    2. Jump to Case Wall
    3. Add Playbook
  18. All selected Playbooks will show in the side-bar under Playbooks.
Relevant Documentation Links

 

 

134339i330AF57064C69B36.png

Your Workdesk

Google SecOps Workdesk is the first step in taking care of your SOC daily routine. Your Workdesk allows you to manage your cases, collaborate with your team members, and quickly respond to manual actions in the Playbooks.

 

Steps
  1. Users will navigate to the left-side Navigation Bar and then select Your Workdesk.
  2. On the top-left of the Your Workdesk page, users will see three options:
    1. My Cases
    2. My Tasks
    3. Announcements
  3. Users view Cases in the My Cases tab, through four sections:
    1. Assigned to Me
    2. Assigned to My Role
    3. Mention of Me
    4. Mention of My Role
  4. At the bottom of the My Cases page, users can Refresh the list, by selecting Refresh. 134395iE2DA621BD23E57A6.png
  5. Users can view/ create their Tasks in the My Tasks tab, with four sections:
    1. Status
    2. Assigned to Me
    3. Assigned to My Role
    4. Created by Me
  6. The My Tasks page also has a Search Function.
  7. Users can view/ create their Announcements in the Announcements tab.
  8. The Announcements page also has a Search Function.
Relevant Documentation Links

 

 

Next Step: Security Command Center Enterprise: Step 4.1.5 - Remediation | Google SecOps | Response 

Previous Step: Security Command Center Enterprise: Step 4.1.3 - Remediation | Google SecOps | Detection 

Be the first to reply!

Reply


Terms & ConditionsCookie settings
Privacy Policy Terms of Service Gen AI Policy Community Guidelines Cookie Settings

© 2025 Google. All rights reserved.