- Resource: Case
- CaseType
- CaseStatus
- WorkflowStatus
- CaseTag
- CaseProduct
- CaseClosureDetails
- CloseReason
- CaseClosedAction
- MoveEnvironment
- Methods
Resource: Case
A Case represents a security investigation in SecOps. Cases group related alerts and provide a central location for analysts to document their findings, track progress, and collaborate on resolving security incidents.
| JSON representation |
|---|
{ "name" : string , "creatorUserId" : string , "creatorUser" : string , "lastModifyingUserId" : string , "lastModifyingUser" : string , "createTime" : string , "updateTime" : string , "displayName" : string , "alertCount" : integer , "stage" : string , "priority" : enum ( |
| Fields | |
|---|---|
name
|
Identifier. The unique name(ID) of the Case. Format: projects/{project}/locations/{location}/instances/{instance}/cases/{case} |
creatorUserId
|
Output only. Case creator id. Used for homepage/requests feature. |
creatorUser
|
Output only. Resource association for the creator. |
lastModifyingUserId
|
Output only. Last user who modified the case. replaced old property name: LastModifyingUser. |
lastModifyingUser
|
Output only. Resource association for the modifying user. |
createTime
|
Output only. The creation time of the record in milliseconds. |
updateTime
|
Output only. The modification time of the record in milliseconds. |
displayName
|
Required. Case title, limited to 200 characters. Replaces old property: Title. |
alertCount
|
Output only. Alerts in case. |
stage
|
Required. The stage of the Case. For example, "Triage", "Incident", "Investigation". Stages are defined in "chronicle.googleapis.com/CaseStageDefinition". The default stage option is "Triage". |
priority
|
Required. Default value is HIGH. Case priority. For example, "Informative", "Low", "Medium", "High", "Critical". |
assignee
|
Optional. This can be a user or a @SocRole, default value is the default soc-role defined in Settings. |
assignedUser
|
Output only. Resource association for the assignee. |
description
|
Optional. Case description. Limit chars to 1000. |
type
|
Required. Case type. |
environment
|
Required. Case logical environments. |
status
|
Output only. Case data status. |
score
|
Optional. Attack exposure score, how risky the case. |
workflowStatus
|
Output only. Case playbook status. |
sla
|
Optional. SLA for the case. |
alertsSla
|
Optional. Aggregated alerts SLA. (alert has SLA as well). |
source
|
Output only. The source that created the case. Possible values: "Server", "User", "Simulated", "Merge", "AlertMove" |
tags[]
|
Optional. CaseTags associated with the case. |
products[]
|
Optional. Products associated with the case. Contains Name of product (e.g. WinEventLog:Security/DLP_Product). Replaces old property: "Product". |
closureDetails
|
Optional. Case closure details. |
tasks[]
|
Output only. Tasks associated with the case. |
moveEnvironment
|
Optional. Case environment move details. |
dataAccessScopes[]
|
Output only. Data Access Scopes. |
important
|
Optional. Additional way to specify case importance. The default is false. |
incident
|
Optional. Additional way to specify if the case marked as incident. The default is false. |
overflowCase
|
Output only. Case without events, was reduced by the connector service due to a large amount of data. During ingestion if the "alert package" crosses a specific threshold, the alert will be trimmed due to security reasons (DDOS attacks, etc..) |
involvedSuspiciousEntity
|
Optional. If has involved suspicious entity in the case. |
CaseType
Case type. LINT.IfChange(case_type)
| Enums | |
|---|---|
CASE_TYPE_UNSPECIFIED
|
Unspecified case type. |
EXTERNAL
|
Case created based on alerts from external SIEM. |
TEST
|
Case created based on simulated alerts for testing. |
REQUEST
|
Case created internally through the Homepage feature. |
CaseStatus
Case status.
| Enums | |
|---|---|
CASE_DATA_STATE_UNSPECIFIED
|
Unspecified case data status. |
OPENED
|
Case data is opened. |
CLOSED
|
Case data is closed. |
ALL
|
Case data is all. |
MERGED
|
Case data is merged. |
CREATION_PENDING
|
Case data is creation pending. |
WorkflowStatus
Workflow status.
| Enums | |
|---|---|
WORKFLOW_STATUS_UNSPECIFIED
|
Unspecified workflow status. |
NONE
|
Workflow status is none. |
IN_PROGRESS
|
Workflow is running. |
COMPLETED
|
Workflow is completed. |
FAILED
|
Workflow is failed. |
TERMINATED
|
Workflow is terminated. |
PENDING_IN_QUEUE
|
Workflow is pending in queue. |
PENDING_FOR_USER
|
Workflow is pending for user. |
CaseTag
CaseTag associated with the case.
| JSON representation |
|---|
{ "displayName" : string , "alert" : string , "priority" : integer } |
| Fields | |
|---|---|
displayName
|
Output only. The name of the tag |
alert
|
Output only. For tags set by playbook action, this is relevant during MoveAlert. Replaces old property: "Indicator". |
priority
|
Output only. During ingestion if more than one tag matches the criteria, the one with the priority will be chosen. Available options: 1-5. |
CaseProduct
Product associated with the case.
| JSON representation |
|---|
{ "displayName" : string , "alert" : string } |
| Fields | |
|---|---|
displayName
|
Output only. Display name of the product. |
alert
|
Output only. Replaces old property: "AlertIdentifier". |
CaseClosureDetails
Case closure details.
| JSON representation |
|---|
{ "reason" : enum ( |
| Fields | |
|---|---|
reason
|
Output only. Case closure reason. |
rootCause
|
Output only. Case closure root cause. |
caseClosedAction
|
Output only. Case closed action. |
comment
|
Output only. Case closure comment. |
CloseReason
Case closure reason. LINT.IfChange(closeReason)
| Enums | |
|---|---|
CLOSE_REASON_UNSPECIFIED
|
Unspecified close reason. |
MALICIOUS
|
Case is malicious. |
NOT_MALICIOUS
|
Case is not malicious. |
MAINTENANCE
|
Case is in maintenance. |
INCONCLUSIVE
|
Case is inconclusive. |
UNKNOWN
|
Case closure reason is unknown. |
CaseClosedAction
Case closed action. LINT.IfChange(caseClosedAction)
| Enums | |
|---|---|
CASE_CLOSED_ACTION_UNSPECIFIED
|
Unspecified case closed action. |
AUTOMATIC
|
Case closed action is automatic. |
MANUALLY
|
Case closed action is manually. |
MoveEnvironment
Case environment move details.
| JSON representation |
|---|
{ "shouldDeleteOldCase" : boolean } |
| Fields | |
|---|---|
shouldDeleteOldCase
|
Optional. If the case should be deleted on move to the new environment. |
Methods |
|
|---|---|
|
Adds a tag to a Case. |
|
Adds an insight to a Case. |
|
Adds a tag to multiple cases in a single operation. |
|
Assigns multiple cases to a specific analyst or SOC role in bulk. |
|
Changes the priority level for multiple cases in bulk. |
|
Updates the case stage for multiple cases in bulk. |
|
Closes multiple cases in a single operation. |
|
Reopens multiple previously closed cases in a single operation. |
|
Generates a report for a Case in a specified format (e.g., PDF, HTML). |
|
Gets a single Case by its resource name. |
|
Retrieves the case view metadaata. |
|
Lists Cases in an instance. |
|
Merges one or more cases into a single destination case. |
|
Updates an existing Case. |
|
Pauses the Service Level Agreement (SLA) timer for a specific Case. |
|
Removes a tag from a Case. |
|
Resolves updated data for a specific case overview widget. |
|
Resumes a previously paused SLA timer for a Case. |
