Skip to main content

Security Operations: Step 4.2 - Investigate | Investigate Cases & Alerts

  • October 31, 2024
  • 0 replies
  • 510 views
Digital-Customer-Excellence
Staff
Forum|alt.badge.img+7

Table of Contents

 

129193i0D7E2B8B58DB30B1.png

 Google SecOps ingests alerts from a variety of sources. Each alert is ingested with its underlying base security events. Those security events are analyzed, and their indicators, such as sources, destinations, and artifacts, are extracted into objects called entities. Each entity stored in the platform starts collecting data on it, including comments, enrichment data, and reports, allowing analysts yo review this history when handling future cases involving that entity.

 

Actions

129194i230399D654793ADE.png
Working Cases

Google SecOps Cases provides the analysts a way to investigate the incoming security alerts and safeguard workstations. Analysts can create manual cases and simulated cases and ingest specific data.

 


Steps
  1. Users will navigate to the left-side Navigation Bar and then select Cases.
  2. On the top-left of the Cases page, users will see several options to navigate through Cases:
    1. Cases View Selection 129217i4DF6215F854F6714.png 
    2. Refresh Cases 129216iD37EB65B1CF32CC1.png 
       
       
    3. Switch to Default Mode 129215i06BF69BC010F3EB2.png 
       
       
       
       
       
    4. Select Multiple Cases 129214iBE476D88F1E23A5C.png 
       
    5. Add Cases 129213i995A80B77B401FD1.png
    6. Sort By 129212iBEDC1205ADF7EC7A.png
    7. Cases Filter 129211i60E2415E86B6B6F8.png
    8. Search Case Name
  3. When users select the Cases Filter, users will see a Case Queue Filter popup, which will display the following sections/ fields:
    1. Parameters
    2. Logical Operator
    3. Add Criteria
    4. Save Filter
  4. When a Case is shown as a result, it will appear in the left-side bar.
  5. When a Case is selected, a popout page will appear.
  6. Cases will have an assigned:
    1. Case ID Number 129210i62D75A6134BD157F.png
    2. Environment
    3. Tier designation 129209iC39592767926308B.png
    4. Date/ Time Range
  7.  At the top of the Case page, users will also see the following options:
    1. Triage
    2. Chat
    3. Close Case
    4. Case Actions
    5. Close Case
    6. Manage Tags
  8. Each Case will have three views:
    1. Overview 129208iED57769360EA54FD.png
    2. Case Wall 129207i8914F38D6D911179.png
    3. Case Details 129206i4E06FD20732C514B.png
  9.  To the right of each View are the following options:
    1. Manual Action 129205i472EDA409207C0E2.png
    2. Case Tasks 129204i5BDA8A050649AC3F.png
    3. Alert Options (only in Case Details view) 129203iDE1681FE84930758.png
  10. In the Case Overview, users will see a Gemini Summary of the of the Case, consisting of:
    1. Suggestion
    2. What Actually Happened
    3. The Next Steps You Should Take
  11. There are additional sections below consisting of:
    1. Case Description
    2. Pending Actions
    3. Alerts
    4. Entities Graph
    5. Entities Highlights
    6. Latest Case Wall Activity
    7. Recommendations
    8. Statistics
    9. Comment Section 129202iF2D0526138EC8D11.png
      • Option to Attach File
  12. The Case Wall view will allow users to view the Case Details:
    1. Actions
    2. Status Changes
    3. Tasks
    4. Comments
    5. Insights
    6. Pinned Chat Messages
    7. Favorites
      • Each Case Detail can be marked as a Favorite.
  13. There are Filter options in Case Wall view:
    1. Alert Type
    2. User
    3. Sort By Date/ Time
  14. The Case Details view has four tab options:
    1. Overview
    2. Events
    3. Playbooks
    4. Graph
  15. The Overview  tab in Case Details will display information consisting of:
    1. Alert Details
    2. Pending Actions
    3. Entities Highlights
    4. Events
    5. Comment Section
      • Option to Attach File
    6. Events
  16. The Events tab will display a list of Events, consisting of:
    1. Name
    2. Type
    3. Source
    4. Port
    5. Outcome
    6. Time
    7. Option to Configure Event
  17. Under the Events tab, users can also Search for details. These details have sections below that include:
    1. Highlighted Fields
    2. Default
    3. System
    4. Threat
    5. Event
    6. Time.
  18. Under the Playbooks tab, users will see the following options:
    1. Refresh
    2. Jump to Case Wall
    3. Add Playbook
  19. If the user selects a Playbook, select Add Playbook, and a Add a Playbook popup will appear.
  20. Users will be able to select a specific Playbook, and select Add.
  21. All selected Playbooks will show in the side-bar under Playbooks.
Relevant Documentation Links

 

 

129195i352819C054360CFF.png

Your Workdesk

Google SecOps Workdesk is the first step in taking care of your SOC daily routine. Your Workdesk allows you to manage your cases, collaborate with your team members, and quickly respond to manual actions in the Playbooks.

 


Steps
  1. Users will navigate to the left-side Navigation Bar and then select Your Workdesk.
  2. On the top-left of the Your Workdesk page, users will see several options:
    1. My Cases
    2. Pending Actions
    3. My Tasks
    4. Requests
    5. Workspace
    6. Announcements
  3. Users view Cases in the My Cases tab, through four sections:
    1. Assigned to Me
    2. Assigned to My Role
    3. Mention of Me
    4. Mention of My Role
  4. At the bottom of the My Cases page, users can Refresh the list, by selecting Refresh. 129201iF1529FDC3ABE9CBE.png
  5. Users view Pending Actions in the Pending Actions tab, with five Pending Action ratings:
    1. Critical
    2. High
    3. Medium
    4. Low
    5. Informative
  6. The Pending Actions page also has a Search Function.
  7. At the bottom of the Pending Actions page, users can Refresh the list, by selecting Refresh.
  8. Users can view/ create their Tasks in the My Tasks tab, with four sections:
    1. Status
    2. Assigned to Me
    3. Assigned to My Role
    4. Created by Me
  9. The My Tasks page also has a Search Function.
  10. At the bottom of the My Tasks page, users can Create a New Task by selecting Create a New Task button129200i475B05C73C3390F2.png
  11. In the Create Task popout page, users can fill in the following information:
    1. Title
    2. Task Content
    3. Assign To
    4. Due Date
  12. When users have filled out the Create Task information, select Save.
  13. Users can view/ create Requests in the Requests tab, with an option view Open and Closed Requests.
  14. The Requests page also has a Search.
  15. To Create a New Request, users can select the Add Request button, to the right of the Search field, or by selecting Create a New Request button at the bottom of the page.
  16. When users have filled out the New Request information, select Save.
  17. The new Request will display on the page after a few minutes.
  18. Users will click the Case ID to see the Case in the Cases page with full details.
  19. After the Request is put in, the user’s approving manager will review the the Case and approve or deny the Request.
  20. Under the Workspace tab, is Workspace page, users can view/ create the following four sections:
    1. Links
    2. Files
    3. My Contacts
    4. Notes
  21. The Create Link section consists of: 129199iF7A369CCCBF506E3.png
    1. URL Address
    2. Link Description
  22. When complete, users will select Save.
  23. The Create File section consists of:
    1. File Address
    2. File Description
  24. When complete, users will select Save.
  25. The Create Contact section consists of:
    1. Contact Name
    2. Phone Number
    3. Contact Email
    4. Contact Description
  26. When complete, users will select Save.
  27. The Create Note section consists of:
    1. Note Title
    2. Note Content
  28. When complete, users will select Save.
  29. Notes can be searched for through the Search field.
  30. The Notes section also has a Default Note template, that can be Deleted or Edited.
  31. Users can view/ create their Announcements in the Announcements tab.
  32. The Announcements page also has a Search Function.
  33. To Create a New Announcement, users can select the Add Announcement button, to the right of the Search field, or by selecting Create a New Announcement button at the bottom of the page129198i8F1FA48BE35E09C5.png
Relevant Documentation Links

 

 

Next Step: Security Operations: Step 5 - Respond 

Previous Step: Security Operations: Step 4.1 - Investigate | Investigation 

Terms & ConditionsAccessibility statement
Privacy Policy Terms of Service Gen AI Policy Community Guidelines Cookie Settings

© 2025 Google. All rights reserved.