SOAR data in Dashboards
Supported in:
Cases and alerts
A Case in Google Security Operations SOAR is the core entity that represents a specific instance of related alerts. It includes all details about the case lifecycle, assignments, status, priority, associated activities, and resources.
You can use the sample cases and alerts queries to analyze case and alert data in Google Security Operations.
| Field name | Type | Description |
|---|---|---|
name
|
string
|
Unique identifier (GUID) for a SOAR case. |
display_name
|
string
|
Display name of the SOAR case. |
description
|
string
|
Description of the SOAR case. |
stage
|
string
|
Current stage or phase of the SOAR case workflow. Supports a limited set of values; custom values are also allowed. |
priority
|
enum
|
Priority of the SOAR case. |
status
|
enum
|
Current status of the SOAR case |
type
|
enum
|
Type of the SOAR case |
response_platform_info
|
ResourceResponsePlatformInfo
|
Information about the response platform, including: response_platform_type
(SIEMPLIFY) and response_platform_id
(case ID). |
environment
|
string
|
Environments associated with this SOAR case. |
create_time
|
google.protobuf.Timestamp
|
Timestamp of when the SOAR case was created. |
update_time
|
google.protobuf.Timestamp
|
Timestamp of the most recent SOAR case update. |
assignee
|
SOARUser
|
Username (or role) assigned to the SOAR case. |
creator_user
|
SOARUser
|
User who created the SOAR case. |
last_modifying_user
|
SOARUser
|
User who last modified the SOAR case. |
important
|
boolean
|
Indicates whether the SOAR case is marked as important. |
incident
|
boolean
|
Indicates whether the SOAR case is classified as an incident. |
source
|
string
|
Source system of the SOAR case. |
score
|
double
|
Risk score associated with the SOAR case. |
overflow_case
|
boolean
|
Indicates whether the SOAR case is an overflow case (exceeded capacity). |
closure_details
|
SOARCaseClosureDetails
|
Details about the SOAR case closure, if applicable. |
tags
|
SOARCaseTag
|
Tags associated with the SOAR case. |
tasks
|
SOARTask
|
Tasks associated with the SOAR case. |
wall_activities
|
SOARWallActivity
|
Wall activities associated with the SOAR case. |
alerts
|
AlertWithEntities
|
Metadata and associated entities of alerts linked to the SOAR case. |
CaseStatus enum
// Unspecified SOAR case data status.
SOAR_CASE_DATA_STATUS_UNSPECIFIED
=
0
;
// The SOAR case is opened.
OPENED
=
1
;
// The SOAR case is closed.
CLOSED
=
2
;
// The SOAR case is all.
ALL
=
3
;
// The SOAR case is merged.
MERGED
=
4
;
// The SOAR case is pending creation.
CREATION_PENDING
=
5
;
CaseType enum
// The SOAR case type is unspecified.
SOAR_CASE_TYPE_UNSPECIFIED
=
0
;
// Case created based on alerts from an external SIEM.
EXTERNAL
=
1
;
// Case created based on simulated alerts used for testing.
TEST
=
2
;
// Case created internally through the Homepage feature.
REQUEST
=
3
;
SOARUser
| Field name | Type | Description |
|---|---|---|
name
|
string
|
Unique identifier (ID) of the SOAR user. |
given_name
|
string
|
First name of the SOAR user. |
family_name
|
string
|
Last name of the SOAR user. |
email
|
string
|
Email address of the SOAR user. |
last_login_time
|
google.protobuf.Timestamp
|
Timestamp of the SOAR user's most recent login. |
environments
|
string
|
Logical environments the SOAR user belongs to. |
deleted
|
boolean
|
Indicates whether the SOAR user account is deleted. |
soc_roles
|
string
|
Roles assigned to the SOAR user within the Security Operations Center (SOC) team. |
SOARCaseClosureDetails
| Field name | Type | Description |
|---|---|---|
reason
|
enum
|
Reason for the SOAR case closure. |
root_cause
|
string
|
Root cause identified for the SOAR case closure. |
case_closed_action
|
enum
|
Action taken to close the SOAR case. |
SOARCaseCloseReason enum
// The SOAR case close reason is unspecified.
SOAR_CASE_CLOSE_REASON_UNSPECIFIED
=
0
;
// The SOAR case close reason is malicious.
MALICIOUS
=
1
;
// The SOAR case close reason is not malicious.
NOT_MALICIOUS
=
2
;
// The SOAR case close reason is under maintenance.
MAINTENANCE
=
3
;
// The SOAR case close reason is inconclusive.
INCONCLUSIVE
=
4
;
SOARCaseClosedAction enum
// The SOAR case closed action is unspecified.
SOAR_CASE_CLOSED_ACTION_UNSPECIFIED
=
0
;
// The SOAR case was closed automatically.
AUTOMATIC
=
1
;
// The SOAR case was closed manually.
MANUALLY
=
2
;
SOARCaseTag
| Field name | Type | Description |
|---|---|---|
name
|
string
|
Name of the tag. |
create_time
|
google.protobuf.Timestamp
|
Timestamp when the tag was created. |
SOARTask
| Field name | Type | Description |
|---|---|---|
name
|
string
|
Unique identifier for the SOAR task. |
title
|
string
|
Title of the task. |
status
|
enum
|
Current status of the task. |
author
|
SOARUser
|
User who created the task. |
assignee
|
SOARUser
|
User assigned to the task. |
resolver
|
SOARUser
|
User who resolved the task. |
create_time
|
google.protobuf.Timestamp
|
Timestamp when the task was created. |
update_time
|
google.protobuf.Timestamp
|
Timestamp of the last update to the task. |
due_time
|
google.protobuf.Timestamp
|
Time when the task is due. |
resolution_time
|
google.protobuf.Timestamp
|
Time when the task was resolved. |
content
|
string
|
Full text content or description of the task. |
favorite
|
boolean
|
Indicates whether the task is marked as a favorite. |
Task status enum
// The task status is unspecified.
SOAR_TASK_STATUS_UNSPECIFIED
=
0
;
// The task is pending.
PENDING
=
1
;
// The task is completed.
COMPLETED
=
2
;
SOARWallActivity
| Field name | Type | Description |
|---|---|---|
name
|
string
|
Unique identifier (GUID) for the SOAR case wall activity. |
title
|
string
|
Title of the wall activity. |
activity_type
|
enum
|
Type of the wall activity. |
activity_data
|
string
|
Data associated with the activity. |
create_time
|
google.protobuf.Timestamp
|
Timestamp when the activity was created. |
creator
|
SOARUser
|
User who created the activity. |
WallActivityType enum
// The SOAR case wall activity type is unspecified.
SOAR_WALL_ACTIVITY_TYPE_UNSPECIFIED
=
0
;
// The SOAR case wall activity type is alert data.
CASE_ALERT_DATA
=
1
;
// The SOAR case wall activity type is SOAR case status change.
CASE_STATUS_CHANGE
=
2
;
// The SOAR case wall activity type is SOAR case task creation or update.
CASE_TASK
=
3
;
// The SOAR case wall activity type is SOAR case action.
CASE_ACTION
=
4
;
// The SOAR case wall activity type is SOAR case evidence.
CASE_EVIDENCE
=
5
;
// The SOAR case wall activity type is SOAR case comment.
CASE_COMMENT
=
6
;
// The SOAR case wall activity type is SOAR case insight.
CASE_INSIGHT
=
7
;
// The SOAR case wall activity type is SOAR case creation.
CASE_CREATION
=
8
;
// The SOAR case wall activity type is SOAR case external channel message.
CASE_EXTERNAL_CHANNEL_MESSAGE
=
9
;
// The SOAR case wall activity type is pinned SOAR case chat message.
PINNED_CASE_CHAT_MESSAGE
=
10
;
// The SOAR case wall activity type is SOAR case link.
CASE_LINK
=
11
;
AlertWithEntities
| Field name | Type | Description |
|---|---|---|
metadata
|
Collection proto
|
Metadata associated with the alert (detection information). |
entities
|
SOARInvolvedEntity
|
Repeated collection of entities involved in the alert. |
SOARInvolvedEntities
| Field name | Type | Description |
|---|---|---|
name
|
string
|
Unique name for the involved entity. |
identifier
|
string
|
Identifier of the entity. |
type
|
string
|
Type of the entity, such as HOSTNAME
, USB
, PROCESS
, or ADDRESS
. |
suspicious
|
boolean
|
Indicates whether the entity is considered suspicious. |
internal
|
boolean
|
Indicates whether the entity is internal. You can configure this setting in the application settings and designate any entity type as internal. |
threat_source
|
string
|
Threat source associated with the entity. |
operating_system
|
string
|
Operating system related to the entity. |
network_name
|
string
|
Network name associated to the entity. |
network_priority
|
integer
|
Network priority associated with the entity. |
attacker
|
boolean
|
Indicates whether the entity represents an attacker. |
pivot
|
boolean
|
Indicates whether the entity is a pivot. Pivot entities are common across multiple SOAR cases and appear connected to other entities by a dotted line in the case graph. |
environment
|
string
|
Environment the entity belongs to, derived from the associated SOAR case and alert. |
manually_created
|
boolean
|
Indicates whether the entity was created manually by a user or automatically during ingestion. |
additional_properties
|
string
|
Stores additional properties in JSON format. |
source_system_uri
|
string
|
Link to the source system where the entity originated. |
enriched
|
boolean
|
Indicates whether the entity has been enriched with data from external sources. |
artifact
|
boolean
|
Describes whether the entity is an artifact. |
vulnerable
|
boolean
|
Indicates whether the entity is considered vulnerable. |
entity_uri
|
string
|
Full URL of the entity, constructed using source_system_uri
and entity data. This field is optional if source_system_uri
is not defined. |
fields
|
SOARContextGroup
|
List of context group items calculated from the entity's properties, including display_name
, highlighted
, hidden
, and items.name
. |
case_metadata
|
CaseMetadata
|
Metadata resolution: case_id
and response_platform_type
. |
Playbook
Playbooks are a core component of the Case Management System. They provide a structured and automated approach to incident response and SOAR case resolution.
Each playbook contains a set of predefined steps or actions executed in a specific order when triggered by an event or condition.
You can use the sample playbook queries to get insights into playbook executions.
| Field name | Type | Description |
|---|---|---|
name
|
string
|
Unique identifier (GUID) of the SOAR playbook instance run. |
create_time
|
google.protobuf.Timestamp
|
Timestamp when the playbook instance was created. |
start_time
|
google.protobuf.Timestamp
|
Timestamp when the playbook execution started. |
end_time
|
google.protobuf.Timestamp
|
Timestamp when the playbook execution ended. |
status
|
enum
|
Current status of the playbook execution. |
display_name
|
string
|
Display name of the playbook instance. |
debug
|
boolean
|
Indicates whether the playbook instance is running in debug mode. |
simulated
|
boolean
|
Indicates whether the playbook instance is a simulated run. |
block_step_id
|
string
|
Block step ID associated with this playbook instance. |
alert
|
backstory.ResponsePlatformInfo
|
Alert associated with this playbook run instance. |
case_response_platform_info
|
message
|
Metadata of the SOAR case associated with this playbook instance. |
metadata
|
SOARPlaybookDefinition
|
Playbook definition associated with this playbook instance. |
action
|
SOARAction
|
Actions associated with this playbook instance. |
Playbook run status enum
// The playbook status is unspecified.
STATE_UNSPECIFIED
=
0
;
// The playbook is running.
IN_PROGRESS
=
1
;
// The playbook has been completed successfully.
COMPLETED
=
2
;
// The playbook execution has failed.
FAILED
=
3
;
// The playbook was manually or system-terminated.
TERMINATED
=
7
;
// The playbook has no associated status.
NONE
=
8
;
// The playbook is pending in the queue.
PENDING_IN_QUEUE
=
9
;
// The playbook is pending for user input.
PENDING_FOR_USER
=
10
;
SOARPlaybookDefinition
| Field name | Type | Description |
|---|---|---|
name
|
string
|
Unique identifier (GUID) of the SOAR playbook definition. |
display_name
|
string
|
Human-readable name for the playbook definition |
description
|
string
|
Description of the playbook's purpose or functionality. |
enabled
|
boolean
|
Indicates whether the playbook definition is enabled. |
archived
|
boolean
|
Indicates whether the playbook definition is archived and no longer in use. |
automatic
|
boolean
|
Indicates whether the playbook is triggered automatically or manually. |
environments
|
string
|
Applicable environments for the playbook definition. |
version
|
double
|
Version number of the playbook definition. |
priority
|
int
|
Priority level assigned to the playbook, if applicable. |
type
|
enum
|
Type of the SOAR playbook. Possible values include: PLAYBOOK_TYPE_UNSPECIFIED (unspecified)
, REGULAR
, and NESTED
. |
debug_mode
|
boolean
|
Indicates whether the playbook definition is in debug mode. |
template_name
|
string
|
Name of the template the playbook is based on, if applicable. |
author
|
SOARUser
|
User who created the playbook definition. |
last_editor
|
SOARUser
|
User who last edited the playbook definition. |
version_author
|
SOARUser
|
User who created the current version of the playbook definition. |
version_comment
|
string
|
Comment associated with the current version of the playbook. |
SOARAction
| Field name | Type | Description |
|---|---|---|
name
|
string
|
Unique identifier (GUID) for the SOAR action. |
integration
|
string
|
Integration used to execute this action. |
action
|
string
|
Name of the action. |
status
|
enum
|
Current status of the action. |
result_message
|
string
|
Details about the action's outcome or any errors. |
result_value
|
string
|
Actual result value produced by the action. |
automatic
|
boolean
|
Indicates whether the action is executed automatically or manually. |
create_time
|
google.protobuf.Timestamp
|
Timestamp when the action was created. |
step_id
|
string
|
Identifier of the step associated with this action. |
step
|
string
|
Name of the step associated with this action. |
entity_id
|
string
|
Identifier of the entity associated with this action. |
instance
|
string
|
Name of the instance associated with this action. |
execution_time_ms
|
google.protobuf.Duration
|
Time taken to execute the action, in milliseconds. |
SOARActionStatus
// The action state is unspecified.
STATE_UNSPECIFIED
=
0
;
// The action has been terminated.
TERMINATED
=
4
;
// The action encountered an error.
FAULTED
=
5
;
// The action is in progress.
ASYNC_PENDING
=
6
;
// The action completed successfully.
COMPLETED
=
7
;
// The action is waiting for user input.
PENDING_USER_INPUT
=
8
;
// The action is waiting for previous steps to complete.
PENDING_PREVIOUS_STEPS
=
9
;
// The action has started.
STARTED
=
10
;
// The action faulted and was skipped.
FAULTED_AND_SKIPPED
=
11
;
// The action timed out and was handled.
HANDLED_TIMEOUT
=
12
;
// The action timed out and was not handled.
UNHANDLED_TIMEOUT
=
13
;
// The action did not run and was skipped.
NOT_RUN_AND_SKIPPED
=
14
;
// The pending action timed out and the playbook was stopped.
PENDING_ACTION_TIMEOUT
=
15
;
// The pending action timed out and was skipped.
PENDING_ACTION_TIMEOUT_AND_SKIPPED
=
16
;
Case history
The CaseHistory
resource captures a comprehensive audit trail of events and
actions throughout a SOAR case's lifecycle. It records changes to a case's state, assignments, priority, and other key attributes.
This detailed log is essential for understanding SOAR case progression, identifying
trends, and enabling effective analysis and reporting.
You can use the sample case history queries to view case history by activity count.
| Field name | Type | Description |
|---|---|---|
name
|
string
|
Unique identifier (GUID) for the SOAR action. |
case_response_platform_info
|
message
|
Information about the SOAR case response platform, including the SOAR case ID and type. |
case_activity
|
enum
|
Type of activity that occurred, such as a stage change, assignee change, or SOAR case creation. |
event_time
|
google.protobuf.Timestamp
|
Timestamp of when the event occurred. |
stage
|
string
|
New SOAR case stage after the event. |
assignee
|
SOARUser
|
New assignee of the SOAR case after the event. |
priority
|
enum
|
Priority level of the SOAR case after the event. |
status
|
enum
|
Case status after the event. |
important
|
boolean
|
Indicates whether the SOAR case is marked as important after the event. |
incident
|
boolean
|
Indicates whether the SOAR case is marked as an incident after the event. |
sla_type
|
enum
|
Type of Service Level Agreement (SLA) that was exceeded, if any. |
SOARCaseHistoryActivity enum
SOAR_CASE_HISTORY_ACTIVITY_TYPE_UNSPECIFIED
=
0
;
// The SOAR case stage was changed.
STAGE_CHANGE
=
1
;
// The SOAR case assignee was changed.
ASSIGNEE_CHANGE
=
2
;
// The SOAR case was created.
CREATE_CASE
=
3
;
// The SOAR case priority was changed.
PRIORITY_CHANGE
=
4
;
// The SOAR case was closed.
CLOSE_CASE
=
5
;
// The SOAR case was reopened.
REOPEN_CASE
=
6
;
// The SOAR case was marked as an incident.
MARK_INCIDENT
=
7
;
// The SOAR case was marked as important.
MARK_IMPORTANT
=
8
;
// The SOAR case exceeded its SLA.
EXCEEDED_SLA
=
9
;
SLATypeExceeded enum
// The SLA type is unspecified.
SOAR_CASE_HISTORY_SLA_TYPE_UNSPECIFIED
=
0
;
// The case exceeded its overall SLA.
CASE_SLA
=
1
;
// The case exceeded the SLA for an associated alert.
ALERT_SLA
=
2
;
// The case exceeded the SLA for its current stage.
STAGE_SLA
=
3
;
Need more help? Get answers from Community members and Google SecOps professionals.
