A Case in Google Security Operations SOAR is the core entity that represents a specific instance
of related alerts. It includes all details about the case lifecycle, assignments,
status, priority, associated activities, and resources.
Field name
Type
Description
name
string
Unique identifier (GUID) for a SOAR case.
display_name
string
Display name of the SOAR case.
description
string
Description of the SOAR case.
stage
string
Current stage or phase of the SOAR case workflow. Supports a limited set of values; custom values are also allowed.
Metadata and associated entities of alerts linked to the SOAR case.
CaseStatus enum
// Unspecified SOAR case data status.SOAR_CASE_DATA_STATUS_UNSPECIFIED=0;// The SOAR case is opened.OPENED=1;// The SOAR case is closed.CLOSED=2;// The SOAR case is all.ALL=3;// The SOAR case is merged.MERGED=4;// The SOAR case is pending creation.CREATION_PENDING=5;
CaseType enum
// The SOAR case type is unspecified.SOAR_CASE_TYPE_UNSPECIFIED=0;// Case created based on alerts from an external SIEM.EXTERNAL=1;// Case created based on simulated alerts used for testing.TEST=2;// Case created internally through the Homepage feature.REQUEST=3;
SOARUser
Field name
Type
Description
name
string
Unique identifier (ID) of the SOAR user.
given_name
string
First name of the user.
family_name
string
Last name of the user.
email
string
Email address of the user.
last_login_time
google.protobuf.Timestamp
Timestamp of the user's most recent login.
environments
string
Logical environments the user belongs to.
deleted
boolean
Indicates whether the user account is deleted.
soc_roles
string
Roles assigned to the user within the Security Operations Center (SOC) team.
// The SOAR case close reason is unspecified.SOAR_CASE_CLOSE_REASON_UNSPECIFIED=0;// The SOAR case close reason is malicious.MALICIOUS=1;// The SOAR case close reason is not malicious.NOT_MALICIOUS=2;// The SOAR case close reason is under maintenance.MAINTENANCE=3;// The SOAR case close reason is inconclusive.INCONCLUSIVE=4;
SOARCaseClosedAction enum
// The SOAR case closed action is unspecified.SOAR_CASE_CLOSED_ACTION_UNSPECIFIED=0;// The SOAR case was closed automatically.AUTOMATIC=1;// The SOAR case was closed manually.MANUALLY=2;
// The SOAR case wall activity type is unspecified.SOAR_WALL_ACTIVITY_TYPE_UNSPECIFIED=0;// The SOAR case wall activity type is alert data.CASE_ALERT_DATA=1;// The SOAR case wall activity type is SOAR case status change.CASE_STATUS_CHANGE=2;// The SOAR case wall activity type is SOAR case task creation or update.CASE_TASK=3;// The SOAR case wall activity type is SOAR case action.CASE_ACTION=4;// The SOAR case wall activity type is SOAR case evidence.CASE_EVIDENCE=5;// The SOAR case wall activity type is SOAR case comment.CASE_COMMENT=6;// The SOAR case wall activity type is SOAR case insight.CASE_INSIGHT=7;// The SOAR case wall activity type is SOAR case creation.CASE_CREATION=8;// The SOAR case wall activity type is SOAR case external channel message.CASE_EXTERNAL_CHANNEL_MESSAGE=9;// The SOAR case wall activity type is pinned SOAR case chat message.PINNED_CASE_CHAT_MESSAGE=10;// The SOAR case wall activity type is SOAR case link.CASE_LINK=11;
Repeated collection of entities involved in the alert.
SOARInvolvedEntities
Field name
Type
Description
name
string
Unique name for the involved entity.
identifier
string
Identifier of the entity.
type
string
Type of the entity, such as HOSTNAME, USB, PROCESS, or ADDRESS.
suspicious
boolean
Indicates whether the entity is considered suspicious.
internal
boolean
Indicates whether the entity is internal. This setting is configured in
the application's settings, and any entity type can be designated as internal.
threat_source
string
Threat source associated with the entity.
operating_system
string
Operating system related to the entity.
network_name
string
Network name associated to the entity.
network_priority
integer
Network priority associated with the entity.
attacker
boolean
Indicates whether the entity represents an attacker.
pivot
boolean
Indicates whether the entity is a pivot. Pivot entities are common
across multiple SOAR cases and appear connected to other entities by a dotted line in the case graph.
environment
string
Environment the entity belongs to, derived from the associated SOAR case and alert.
manually_created
boolean
Indicates whether the entity was created manually by a user or automatically during ingestion.
additional_properties
string
Stores additional properties in JSON format.
source_system_uri
string
Link to the source system where the entity originated.
enriched
boolean
Indicates whether the entity has been enriched with data from external sources.
artifact
boolean
Describes whether the entity is an artifact.
vulnerable
boolean
Indicates whether the entity is considered vulnerable.
entity_uri
string
Full URL of the entity, constructed using source_system_uri
and entity data. This field is optional if source_system_uri is not defined.
fields
SOARContextGroup
List of context group items calculated from the entity's properties, including display_name, highlighted,
hidden, and items.name.
case_metadata
CaseMetadata
Metadata resolution: case_id and response_platform_type.
Playbook
Playbooks are a core component of the Case Management System. They provide a
structured and automated approach to incident response and SOAR case resolution.
Each playbook contains a set of predefined steps or actions executed in a specific
order when triggered by an event or condition.
Field name
Type
Description
name
string
Unique identifier (GUID) of the SOAR playbook instance run.
// The playbook status is unspecified.STATE_UNSPECIFIED=0;// The playbook is currently running.IN_PROGRESS=1;// The playbook has been completed successfully.COMPLETED=2;// The playbook execution has failed.FAILED=3;// The playbook was manually or system-terminated.TERMINATED=7;// The playbook has no associated status.NONE=8;// The playbook is pending in the queue.PENDING_IN_QUEUE=9;// The playbook is pending for user input.PENDING_FOR_USER=10;
SOARPlaybookDefinition
Field name
Type
Description
name
string
Unique identifier (GUID) of the SOAR playbook definition.
display_name
string
Human-readable name for the playbook definition
description
string
Description of the playbook's purpose or functionality.
enabled
boolean
Indicates whether the playbook definition is enabled.
archived
boolean
Indicates whether the playbook definition is archived and no longer in use.
automatic
boolean
Indicates whether the playbook is triggered automatically or manually.
environments
string
Applicable environments for the playbook definition.
version
double
Version number of the playbook definition.
priority
int
Priority level assigned to the playbook, if applicable.
type
enum
Type of the SOAR playbook. Possible values include: PLAYBOOK_TYPE_UNSPECIFIED (unspecified), REGULAR, and NESTED.
debug_mode
boolean
Indicates whether the playbook definition is in debug mode.
template_name
string
Name of the template the playbook is based on, if applicable.
User who created the current version of the playbook definition.
version_comment
string
Comment associated with the current version of the playbook.
SOARAction
Field name
Type
Description
name
string
Unique identifier (GUID) for the SOAR action.
integration
string
Integration used to execute this action.
action
string
Name of the action.
status
enum
Current status of the action.
result_message
string
Details about the action's outcome or any errors.
result_value
string
Actual result value produced by the action.
automatic
boolean
Indicates whether the action is executed automatically or manually.
create_time
google.protobuf.Timestamp
Timestamp when the action was created.
step_id
string
Identifier of the step associated with this action.
step
string
Name of the step associated with this action.
entity_id
string
Identifier of the entity associated with this action.
instance
string
Name of the instance associated with this action.
execution_time_ms
google.protobuf.Duration
Time taken to execute the action, in milliseconds.
Case history
The CaseHistory resource captures a comprehensive audit trail of events and
actions throughout a SOAR case's lifecycle. It records changes to a case's state, assignments, priority, and other key attributes.
This detailed log is essential for understanding SOAR case progression, identifying
trends, and enabling effective analysis and reporting.
Field name
Type
Description
name
string
Unique identifier (GUID) for the SOAR action.
case_response_platform_info
message
Information about the SOAR case response platform, including the SOAR case ID and type.
Type of Service Level Agreement (SLA) that was exceeded, if any.
SOARCaseHistoryActivity enum
SOAR_CASE_HISTORY_ACTIVITY_TYPE_UNSPECIFIED=0;// The SOAR case stage was changed.STAGE_CHANGE=1;// The SOAR case assignee was changed.ASSIGNEE_CHANGE=2;// The SOAR case was created.CREATE_CASE=3;// The SOAR case priority was changed.PRIORITY_CHANGE=4;// The SOAR case was closed.CLOSE_CASE=5;// The SOAR case was reopened.REOPEN_CASE=6;// The SOAR case was marked as an incident.MARK_INCIDENT=7;// The SOAR case was marked as important.MARK_IMPORTANT=8;// The SOAR case exceeded its SLA.EXCEEDED_SLA=9;
SLATypeExceeded enum
// The SLA type is unspecified.SOAR_CASE_HISTORY_SLA_TYPE_UNSPECIFIED=0;// The case exceeded its overall SLA.CASE_SLA=1;// The case exceeded the SLA for an associated alert.ALERT_SLA=2;// The case exceeded the SLA for its current stage.STAGE_SLA=3;
[[["Easy to understand","easyToUnderstand","thumb-up"],["Solved my problem","solvedMyProblem","thumb-up"],["Other","otherUp","thumb-up"]],[["Hard to understand","hardToUnderstand","thumb-down"],["Incorrect information or sample code","incorrectInformationOrSampleCode","thumb-down"],["Missing the information/samples I need","missingTheInformationSamplesINeed","thumb-down"],["Other","otherDown","thumb-down"]],["Last updated 2025-05-21 UTC."],[],[]]
