> ## Documentation Index
> Fetch the complete documentation index at: https://specterops-bp-2735-release-notes.mintlify.site/llms.txt
> Use this file to discover all available pages before exploring further.

# Use Google SecOps with BloodHound Enterprise

> Learn how to investigate BloodHound Enterprise findings in Google SecOps by using cases, alerts, events, playbooks, and actions.

<img noZoom src="https://mintcdn.com/specterops-bp-2735-release-notes/2djt2Sp9UeFPjBFr/assets/enterprise-edition-pill-tag.svg?fit=max&auto=format&n=2djt2Sp9UeFPjBFr&q=85&s=f1e5b5b68b628fd10faf78983d19efbf" alt="Applies to BloodHound Enterprise only" width="225" height="45" data-path="assets/enterprise-edition-pill-tag.svg" />

After you complete the [installation and configuration](/integrations/google-secops/configure), Google SecOps begins receiving BloodHound Enterprise Attack Path data through the connector. This page explains how that data is organized and how analysts can work with it during an investigation.

## Understand the investigation structure

The integration organizes BloodHound Enterprise findings into Google SecOps cases, alerts, and events.

| Object    | Purpose                                                                                                                                                               |
| --------- | --------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
| **Case**  | Groups related BloodHound Enterprise findings for investigation. With alert grouping configured, Google SecOps groups related alerts into one case per source domain. |
| **Alert** | Represents a unique BloodHound Enterprise finding or path title within a case.                                                                                        |
| **Event** | Captures an individual Attack Path occurrence and its supporting details, such as the involved nodes and object IDs.                                                  |

## Review cases, alerts, and events

Use the following workflow to inspect the findings created by the connector.

<Steps>
  <Step title="Open the Cases page">
    With alert grouping configured, a case is created for each unique domain. The case contains alerts for each distinct BloodHound Enterprise finding or path title, and the events under those alerts capture the details of each Attack Path occurrence.

    1. Open your Google SecOps dashboard.

    2. Select **Cases** from the navigation menu.

    3. Review the list of cases created by the BloodHound Enterprise connector.
  </Step>

  <Step title="Inspect alerts in a case">
    Each alert corresponds to a distinct BloodHound Enterprise finding or path title.

    1. Open a case for the domain that you want to investigate.

    2. Review the alerts in that case.

           <Frame>
             <img src="https://mintcdn.com/specterops-bp-2735-release-notes/JRxjxGtPjT-Lu7sy/images/integrations/google-secops/fig-4-2-case-alerts.png?fit=max&auto=format&n=JRxjxGtPjT-Lu7sy&q=85&s=740ae0f96572c7e00a4fe49fcee1a6c2" alt="Google SecOps case showing alerts generated from BloodHound Enterprise findings." width="2048" height="223" data-path="images/integrations/google-secops/fig-4-2-case-alerts.png" />
           </Frame>
  </Step>

  <Step title="Inspect events in an alert">
    Event details include the step-by-step path traversal and identifiers such as `object_id`.

    1. Open an alert in the case.

    2. Review the events listed under that alert.

           <Frame>
             <img src="https://mintcdn.com/specterops-bp-2735-release-notes/JRxjxGtPjT-Lu7sy/images/integrations/google-secops/fig-4-3-alert-events.png?fit=max&auto=format&n=JRxjxGtPjT-Lu7sy&q=85&s=3d3ff41c84dec4e7d7684fe3be016db4" alt="Google SecOps alert showing the events generated for a BloodHound Enterprise finding." width="2048" height="453" data-path="images/integrations/google-secops/fig-4-3-alert-events.png" />
           </Frame>

    3. Double-click an event to open the full Attack Path details.

           <Frame>
             <img src="https://mintcdn.com/specterops-bp-2735-release-notes/JRxjxGtPjT-Lu7sy/images/integrations/google-secops/fig-4-4-event-details.png?fit=max&auto=format&n=JRxjxGtPjT-Lu7sy&q=85&s=b0431fcfd2ef426927c9d986f6e05c06" alt="Google SecOps event details view showing Attack Path traversal data." width="2048" height="1122" data-path="images/integrations/google-secops/fig-4-4-event-details.png" />
           </Frame>
  </Step>
</Steps>

## Work with playbooks

The **BloodHound Attack Path Alerts Playbook** can run against generated cases. You can also create your own playbook if you want to extend the workflow in Google SecOps.

<Frame>
  <img src="https://mintcdn.com/specterops-bp-2735-release-notes/JRxjxGtPjT-Lu7sy/images/integrations/google-secops/fig-5-1-playbook-tab.png?fit=max&auto=format&n=JRxjxGtPjT-Lu7sy&q=85&s=35283db4f7c19a23bb27f3d6b752287a" alt="Google SecOps playbook tab for a generated BloodHound Enterprise case." width="2048" height="1012" data-path="images/integrations/google-secops/fig-5-1-playbook-tab.png" />
</Frame>

<Steps>
  <Step title="Create a custom playbook">
    1. Go to **Response** > **Playbooks**.

    2. Click the add (**+**) icon.

           <Frame>
             <img src="https://mintcdn.com/specterops-bp-2735-release-notes/JRxjxGtPjT-Lu7sy/images/integrations/google-secops/fig-6-1-create-playbook.png?fit=max&auto=format&n=JRxjxGtPjT-Lu7sy&q=85&s=97aede4f795df992d2a91bb37692f93e" alt="Google SecOps Playbooks page showing the add icon." width="363" height="318" data-path="images/integrations/google-secops/fig-6-1-create-playbook.png" />
           </Frame>

    3. Select **Playbook** as the type and click **Create**.

           <Frame>
             <img src="https://mintcdn.com/specterops-bp-2735-release-notes/JRxjxGtPjT-Lu7sy/images/integrations/google-secops/fig-6-2-select-playbook-type.png?fit=max&auto=format&n=JRxjxGtPjT-Lu7sy&q=85&s=6cba5917e1736a2367221419a721047d" alt="Google SecOps dialog for selecting Playbook as the item type." width="506" height="356" data-path="images/integrations/google-secops/fig-6-2-select-playbook-type.png" />
           </Frame>

    4. Build the custom playbook by adding components from **Actions**, **Triggers**, **Blocks**, and **Flows**.

           <Frame>
             <img src="https://mintcdn.com/specterops-bp-2735-release-notes/JRxjxGtPjT-Lu7sy/images/integrations/google-secops/fig-6-4-playbook-components.png?fit=max&auto=format&n=JRxjxGtPjT-Lu7sy&q=85&s=9610344a76c6cd48e05d51117369d545" alt="Google SecOps playbook editor showing available actions, triggers, blocks, and flows." width="326" height="685" data-path="images/integrations/google-secops/fig-6-4-playbook-components.png" />
           </Frame>
  </Step>

  <Step title="Review playbook results">
    After Google SecOps creates the cases, one playbook runs for each case.

    The following example shows the consolidated playbook results for one case.

    <Frame>
      <img src="https://mintcdn.com/specterops-bp-2735-release-notes/JRxjxGtPjT-Lu7sy/images/integrations/google-secops/fig-6-5-playbook-results.png?fit=max&auto=format&n=JRxjxGtPjT-Lu7sy&q=85&s=7724845f711b93867ad4ca754cc84d70" alt="Playbook results for a generated BloodHound Enterprise case in Google SecOps." width="1727" height="902" data-path="images/integrations/google-secops/fig-6-5-playbook-results.png" />
    </Frame>
  </Step>
</Steps>

## Run BloodHound Enterprise actions

The integration includes on-demand actions that help analysts enrich investigations with data from BloodHound Enterprise.

| Action                  | Description                                                                                           |
| ----------------------- | ----------------------------------------------------------------------------------------------------- |
| **Ping**                | Verifies connectivity to the BloodHound Enterprise server.                                            |
| **Get Object Id**       | Retrieves the object ID for a named node, such as a user, group, or computer.                         |
| **Does Path Exist**     | Checks whether a shortest path exists between two specified nodes in the BloodHound Enterprise graph. |
| **Fetch Assets**        | Retrieves detailed information about an asset based on its object ID.                                 |
| **Path Does Not Exist** | Logs that no shortest path exists between the specified nodes.                                        |
