Quick Summary

Chronicle SOAR provides a repository for use cases developed by Chronicle SOAR or by the community that can be deployed in your environment. The use cases are available for download from the Marketplace. Each use case contains the items required for an end-to-end execution of a workflow.


Overview

Use cases can be a great way for Chronicle SOAR Users to share their knowledge by uploading their own use cases in the  Platform. The use case contains all the items needed to implement a workflow and installs the following:

  • Test case (Simulation Case)
  • Mapping & modelling configuration
  • Integrations
  • Connectors
  • Playbooks

This allows you to see how an end-to-end security workflow will look in Chronicle SOAR, and even use these items as a kickstart for the actual use cases you want to implement.

In the marketplace, you will have a fully detailed description of the items in each use case. In addition, there may be a video showing you how to deploy the use case on mock or real data. You will usually be required to configure the integrations in the use case.

When everything is set up, you will be able to run the test cases from the Cases screen.

Example: Zero to Hero Use Case

Let’s run the Basic Phishing (Zero to Hero) use case from the Marketplace.

  1. Navigate to the Marketplace.
  2. In the Use Case tab, select the Zero to Hero use case and click Run Use Case.
  3. Before you click through the wizard, we recommend you take five minutes to watch the video tutorial in this Use Case before continuing.
  4. When you scroll down this screen, you will see that we have prepared two email samples for you – one malicious and one non-malicious. You can ingest these samples using the Email connector to see how they are handled by the Zero to Hero use case. In addition, on this screen are the list of items that will be downloaded. Click Next when you are ready.
  5. The Install Use Case items screen lists the integrations, playbooks and simulation cases to be installed. Click Install. When installation is completed, click Next.
  6. Make sure that all the relevant fields and parameters are defined correctly in order to configure the integrations. When everything is filled in and tested, click Next.
  7. Select the alert for simulation. This automatically simulates the Case. Click Next.
  8. The “Congratulations” screen is displayed. Look through the options offered and navigate to the Cases screen. Continue to Step 12.
  9. If you did not select the alert for simulation in the Wizard, then navigate to Cases in the link , click the + sign above the cases queue and select Simulate Cases.
  10. Select the Zero to Hero case and click Create.
  11. Make sure to select the default environment and click Simulate.
  12. Click Refresh and you will see a new Case created in Chronicle SOAR, with a playbook attached to the alert inside.