You can manually create a case to enter specific data. This is useful when you
need to ingest information on an alert; for example, information that was reported
from sources that aren't integrated with your detection pipeline (for example,
alerts reported from non-cyber channels).
On theCasespage, clickaddAdd >Create Manual Case.
Enter the following case properties:
Case Title: Enter a title for the new case.
Creation Reason: Enter the reason for creating the case.
Environment: Select the specific environment being
monitored.
Assigned To: Assign the case to a specific role or user.
Priority: Set the priority level for the case.
Mark as Important: Click theMark as importanttoggle on if the case should be flagged as important.
ClickNext.
In theAlertstep, enter the following alert information:
Alert Name: Enter a name for the security alert.
Occurrence Time: In the calendar, select the date and time the alert occurred.
SLA: Specify a date and time by which the SOC team should resolve the case.
ClickNext.
InEntities, select any required existing entities, as follows; you can:
Add an existing entity or create a new one with a corresponding identifier.
Mark an entity as suspicious (this highlights it in red).
ClickNext.
InTags, select any existing tags, create new tags, or leave
blank, according to your needs.
ClickNext.
InPlaybooks, select any relevant playbooks to be attached
to the alerts.
[[["Easy to understand","easyToUnderstand","thumb-up"],["Solved my problem","solvedMyProblem","thumb-up"],["Other","otherUp","thumb-up"]],[["Hard to understand","hardToUnderstand","thumb-down"],["Incorrect information or sample code","incorrectInformationOrSampleCode","thumb-down"],["Missing the information/samples I need","missingTheInformationSamplesINeed","thumb-down"],["Other","otherDown","thumb-down"]],["Last updated 2025-09-04 UTC."],[[["\u003cp\u003eYou can manually create a case in Google SecOps SOAR to input specific data, such as information from non-cyber sources.\u003c/p\u003e\n"],["\u003cp\u003eCreating a case involves specifying details like the case title, creation reason, environment, assignment, and priority in the initial setup.\u003c/p\u003e\n"],["\u003cp\u003eThe process allows you to input alert information, including the alert name, occurrence time, and service level agreement (SLA).\u003c/p\u003e\n"],["\u003cp\u003eYou can associate existing or new entities with the case and tag them as suspicious or internal network entities.\u003c/p\u003e\n"],["\u003cp\u003eThe final steps include selecting relevant tags and playbooks to be attached to the case and its alerts.\u003c/p\u003e\n"]]],[],null,["# Create a manual case\n====================\n\nSupported in: \nGoogle secops [SOAR](/chronicle/docs/secops/google-secops-soar-toc) \n\nYou can manually create a case to enter specific data. This is useful when you\nneed to ingest information on an alert; for example, information that was reported\nfrom sources that aren't integrated with your detection pipeline (for example,\nalerts reported from non-cyber channels).\n\n1. On the **Cases** page, click add **Add \\\u003e Create Manual Case**.\n2. Enter the following case properties:\n - **Case Title**: Enter a title for the new case.\n - **Creation Reason**: Enter the reason for creating the case.\n - **Environment**: Select the specific environment being monitored.\n - **Assigned To**: Assign the case to a specific role or user.\n - **Priority**: Set the priority level for the case.\n - **Mark as Important** : Click the **Mark as important** toggle on if the case should be flagged as important.\n3. Click **Next**.\n4. In the **Alert** step, enter the following alert information:\n - **Alert Name**: Enter a name for the security alert.\n - **Occurrence Time**: In the calendar, select the date and time the alert occurred.\n - **SLA**: Specify a date and time by which the SOC team should resolve the case.\n5. Click **Next**.\n6. In **Entities**, select any required existing entities, as follows; you can:\n - Add an existing entity or create a new one with a corresponding identifier.\n - Mark an entity as suspicious (this highlights it in red).\n7. Click **Next**.\n8. In **Tags**, select any existing tags, create new tags, or leave blank, according to your needs.\n9. Click **Next**.\n10. In **Playbooks**, select any relevant playbooks to be attached to the alerts.\n11. Click **Finish**.\n\n**Need more help?** [Get answers from Community members and Google SecOps professionals.](https://security.googlecloudcommunity.com/google-security-operations-2)"]]
