The properties metadata enable you to rewrite how event fields will be
presented and under what category they appear such as case overview –
event fields and entity screen – enrichment fields. So for example, I
can create a properties metadata in the platform so that all the events or
enrichments fields that start with the VT_ prefix will be grouped under the
VirusTotal category.
Once you have created the metadata property, you can validate it following the
procedure below.
To add properties metadata:
Navigate to Settings > Data Configuration > Properties Metadata.
Click add on the top right of
the screen.
Add in the relevant information as follows:
System Name: this is the name of the raw field
Display Name: how you want it to display on the screen
Group Name: name of group/category it will appear under
Prefix: Used for grouping multiple fields together. Add in a prefix to
group them together
Trim Prefix: so that the prefix does not display as part of the field
name. Example – "VT_department" will be presented
as "department" in case you defined "VT_" prefix
and trimmed it
Is displayed: Select this checkbox to display the field on the screen
Is highlighted: Select this checkbox to display the field in the
Highlighted section of the screen.
Click Add.
To validate the properties metadata (without adding a Prefix):
Add properties metadata for a specific field without a prefix such as File
Name as follows:
Click Add.
Navigate to the Cases screen > Alerts Event Tab > View More.
Click View More. The Category File appears in the side drawer.
To validate the properties metadata (with a Prefix):
Add properties metadata for multiple fields including a VT prefix as
follows:
Click Save.
Navigate to the Cases screen.
In either the Cases Overview tab or the Alerts Overview tab, navigate to the
Entities Highlights widget and click on an Entity. You will be
directed to the Entity Details.
Use cases
The following use cases demonstrate the system's flexibility to manage and display events within cases, including:
In Google SecOps, each case is made up of a subset of alerts. Most alerts also provide access to events, and each event includes specific fields that describe what happened in the event itself. To test this, create a new case within the Google SecOps system, as follows:
Select Cases >
add
Add>Simulate Cases.
Create a new Malware Detected case in your preferred environment. You don't need to create a new environment; you can use the Default Environment if there aren't any others.
In the description of the case, select an alert VIRUS FOUND… and then select the Events tab. In the list of events a single event VIRUS FOUND… appears.
Click the VIRUS FOUND… event and explore the list of fields, appearing on the right side of the screen.
Scroll to find the fields related to the event date.
Modify the appearance of the events in cases
You can modify the appearance of events. You can also rename and group fields. To modify the appearance of an event, you need to change the Properties Metadata. This example describes the steps to reconfigure the following fields to appear in Spanish:
Open another tab in your browser and select SOAR Settings > Data Configuration > Properties Metadata.
Using this interface, reconfigure the following fields to appear in Spanish:
date_hour
date_mday
date_minute
date_month
date_second
date_wday
date_year
date_zone
Click
add
Add and redefine the field values according to the following table.
Process similarly all other fields and set the recommended values as listed in the table:
System name
Display name
Group name
Is displayed
Is highlighted
date_hour
Hora
Fecha del evento
yes
yes
date_mday
Día del mes
Fecha del evento
yes
no
date_minute
Minuto
Fecha del evento
yes
yes
date_month
Mes
Fecha del evento
yes
no
date_second
Segunda
Fecha del evento
no
no
date_wday
Día de la semana
Fecha del evento
no
no
date_year
Año
Fecha del evento
no
no
date_zone
Zona horaria
Fecha del evento
yes
no
Click the following radio buttons:
Is displayed: controls whether the field appears in the event description. If you don't select this button, the field won't appear.
Is highlighted: moves this field to a dedicated group of highlighted fields.
Enter the word date_ in the Search filter and refresh the screen.
In the previous tab, where the open VIRUS_FOUND event is still open, refresh the browser tab (F5 or Command+R).
Select the same event and scroll to Highlighted Fields; find Hour and Minute of the event in the list of fields; these fields are now highlighted.
Scroll further down and find the Fecha Del Evento group; all the fields that we renamed and selected to appear are displayed.
[[["Easy to understand","easyToUnderstand","thumb-up"],["Solved my problem","solvedMyProblem","thumb-up"],["Other","otherUp","thumb-up"]],[["Hard to understand","hardToUnderstand","thumb-down"],["Incorrect information or sample code","incorrectInformationOrSampleCode","thumb-down"],["Missing the information/samples I need","missingTheInformationSamplesINeed","thumb-down"],["Other","otherDown","thumb-down"]],["Last updated 2025-08-29 UTC."],[[["\u003cp\u003eProperties metadata allows customization of how event fields are presented and categorized within Google SecOps, such as in case overviews and entity screens.\u003c/p\u003e\n"],["\u003cp\u003eUsers can define display names, group names, and prefixes to organize fields, such as grouping VirusTotal fields under a "VirusTotal" category using the "VT_" prefix.\u003c/p\u003e\n"],["\u003cp\u003eMetadata properties can be added through the "Settings > Data Configuration > Properties Metadata" section, where options like system name, display name, and group name are configurable.\u003c/p\u003e\n"],["\u003cp\u003eValidation of the properties metadata, both with and without prefixes, can be performed by navigating to the Cases screen and checking the display of fields in the "Alerts Event" tab or "Entity Highlights" widget.\u003c/p\u003e\n"],["\u003cp\u003eTrimming prefixes ensures that the defined prefix is not displayed as part of the field name on the screen, while the "Is displayed" and "Is highlighted" checkboxes allow to control the visibility and importance of a given field.\u003c/p\u003e\n"]]],[],null,["# Manage properties metadata\n==========================\n\nSupported in: \nGoogle secops [SOAR](/chronicle/docs/secops/google-secops-soar-toc) \n\nThe properties metadata enable you to rewrite how event fields will be\npresented and under what category they appear such as case overview --\nevent fields and entity screen -- enrichment fields. So for example, I\ncan create a properties metadata in the platform so that all the events or\nenrichments fields that start with the VT_ prefix will be grouped under the\nVirusTotal category.\n\n\nOnce you have created the metadata property, you can validate it following the\nprocedure below.\n\nTo add properties metadata:\n\n1. Navigate to Settings \\\u003e Data Configuration \\\u003e Properties Metadata. \n2. Click add on the top right of the screen.\n3. Add in the relevant information as follows:\n - System Name: this is the name of the raw field\n - Display Name: how you want it to display on the screen\n - Group Name: name of group/category it will appear under\n - Prefix: Used for grouping multiple fields together. Add in a prefix to group them together\n - Trim Prefix: so that the prefix does not display as part of the field name. \n Example -- \"VT_department\" will be presented as \"department\" in case you defined \"VT_\" prefix and trimmed it\n - Is displayed: Select this checkbox to display the field on the screen\n - Is highlighted: Select this checkbox to display the field in the Highlighted section of the screen.\n4. Click Add.\n\nTo validate the properties metadata (without adding a Prefix):\n\n1. Add properties metadata for a specific field without a prefix such as File Name as follows:\n2. Click Add.\n3. Navigate to the Cases screen \\\u003e Alerts Event Tab \\\u003e View More.\n4. Click View More. The Category File appears in the side drawer. \n\nTo validate the properties metadata (with a Prefix):\n\n1. Add properties metadata for multiple fields including a VT prefix as follows: \n2. Click Save.\n3. Navigate to the Cases screen.\n4. In either the Cases Overview tab or the Alerts Overview tab, navigate to the Entities Highlights widget and click on an Entity. You will be directed to the Entity Details. \n\nUse cases\n---------\n\nThe following use cases demonstrate the system's flexibility to manage and display events within cases, including:\n\n- [Default appearance of the events in cases](#default-appearance)\n- [Modify the appearance of the events in cases](#modify-appearance)\n\n### Default appearance of the events in cases\n\nIn Google SecOps, each case is made up of a subset of alerts. Most alerts also provide access to events, and each event includes specific fields that describe what happened in the event itself. To test this, create a new case within the Google SecOps system, as follows:\n\n1. Select **Cases \\\u003e add Add** \\\u003e **Simulate Cases**.\n2. Create a new **Malware Detected** case in your preferred environment. You don't need to create a new environment; you can use the **Default Environment** if there aren't any others.\n3. In the description of the case, select an alert **VIRUS FOUND...** and then select the **Events** tab. In the list of events a single event **VIRUS FOUND...** appears.\n4. Click the **VIRUS FOUND...** event and explore the list of fields, appearing on the right side of the screen.\n5. Scroll to find the fields related to the event date.\n\n### Modify the appearance of the events in cases\n\nYou can modify the appearance of events. You can also rename and group fields. To modify the appearance of an event, you need to change the **Properties Metadata** . This example describes the steps to reconfigure the following fields to appear in Spanish:\n\n1. Open another tab in your browser and select **SOAR Settings \\\u003e Data Configuration \\\u003e Properties Metadata**.\n2. Using this interface, reconfigure the following fields to appear in Spanish:\n - date_hour\n - date_mday\n - date_minute\n - date_month\n - date_second\n - date_wday\n - date_year\n - date_zone\n3. Click add **Add** and redefine the field values according to the following table.\n4. Process similarly all other fields and set the recommended values as listed in the table:\n\n5. Click the following radio buttons:\n - **Is displayed**: controls whether the field appears in the event description. If you don't select this button, the field won't appear.\n - **Is highlighted**: moves this field to a dedicated group of highlighted fields.\n6. Enter the word `date_` in the Search filter and refresh the screen.\n7. In the previous tab, where the open **VIRUS_FOUND** event is still open, refresh the browser tab (F5 or **Command+R**).\n8. Select the same event and scroll to **Highlighted Fields** ; find **Hour** and **Minute** of the event in the list of fields; these fields are now highlighted.\n9. Scroll further down and find the **Fecha Del Evento** group; all the fields that we renamed and selected to appear are displayed.\n\n\u003cbr /\u003e\n\n\u003cbr /\u003e\n\n**Need more help?** [Get answers from Community members and Google SecOps professionals.](https://security.googlecloudcommunity.com/google-security-operations-2)"]]
