This document explains how to create a specific request template and show
the end-to-end flow from a user submitting the request to a playbook
automatically handling the case.
You can define requests for end users to select directly from the
Homepage. These requests serve as an internal ticketing system,
letting different teams like IT and the Security Operations Center (SOC), or
an MSSP and an end user—to communicate more efficiently.
Each request can be handled in one of two ways:
Manually by an analyst.
Automatically by a playbook, which streamlines the entire process.
You can define requests that users can select on the homepage. An analyst can handle each request manually or a playbook can automate them, where the platform serves as an internal ticketing system. Each request enters the platform as a case with the label Request.
Examples of such requests include the following:
Blocking malicious IPs
Optimizing SIEM rules
Onboarding a new user
This document demonstrates how to create a request template and shows the end-to-end flow.
Add permissions for internal users
Use case: A SOC Manager wants to grant their SOC team permission to open a request to add permissions for internal users to Salesforce. This section explains how to:
Google recommends that you plan which requests can be
automated and how to build the accompanying playbook.
To define a request for Salesforce
permissions:
Go to Settings > Environments > Requests.
Click
add
Add Requests.
In the Add Request Flow dialog, enter a logical name and select an environment.
Select a Request Type. This category determines which entities display in the Event Fields list. For this use case, choose request type Login.
Event Fields provide a way for the platform to recognize the incoming case
request and perform the appropriate "mapping and modelling" behind the
scenes.
In the Event Fields section, manually enter a field name and then select the field type (for example, email or string).
In the Watermark field, add an instruction for the requester
which explains what they need to add here.
In the Raw event field list, you can
choose to use an event field to bring in a raw event or use entities that you can use in playbooks later. This
example uses the Username and SourceUserName
entities.
Click Add.
Build a playbook
The following procedure shows how to build a playbook that automatically
runs when the new case request enters the platform.
Create a new playbook with an appropriate name and
environment.
Select the Alert Type Trigger and set the condition to Equals to and the value to the request template you created. In this case, Salesforce Permission Approvals.
Add the active directory: Enrich
Entities to get more information about the user.
Add the Active Directory: Add User to Group action and set these parameters:
Action Type: Manual. The playbook stops running and waits for further instructions.
Assign To: Administrator Assign the step to a specific user or a SOC role, such as Administrator. The pending action is then displayed on the homepage and in the Case View.
Message to Assignee: This message appears as part of the pending action details. For example, enter Please approve or decline permission for user
[Entity.Identifier] to Salesforce group.
Time to respond: Enable this timer and give the assigned user a day to respond.
Add the Siemplify Close Case action. This action
closes the playbook after the administrator approves or declines the request.
The request is now created with the corresponding playbook.
Approve the request
The user chooses a request. For details, see fill out a request from Your Workdesk.. After a user submits the request selection, it enters the system as a Request Case. The playbook then waits for the administrator's input to continue.
You can see the pending request and approve it in three separate places within the platform:
Cases: Under the correct alert, click the Playbooks tab and click Execute in the side drawer to approve the request.
Cases > Overview: Click Execute in the appropriate widget.
Homepage: Click the Pending Actions tab, select Required Pending Action, and click Execute to approve the request.
[[["Easy to understand","easyToUnderstand","thumb-up"],["Solved my problem","solvedMyProblem","thumb-up"],["Other","otherUp","thumb-up"]],[["Hard to understand","hardToUnderstand","thumb-down"],["Incorrect information or sample code","incorrectInformationOrSampleCode","thumb-down"],["Missing the information/samples I need","missingTheInformationSamplesINeed","thumb-down"],["Other","otherDown","thumb-down"]],["Last updated 2025-09-04 UTC."],[[["\u003cp\u003eThis guide details how to define and automate user requests within the Google SecOps platform, enabling the creation of an internal ticketing system.\u003c/p\u003e\n"],["\u003cp\u003eRequests are initiated by end users, handled as Cases labeled "Request," and can cover various needs such as blocking IPs, optimizing SIEM rules, or onboarding new users.\u003c/p\u003e\n"],["\u003cp\u003eAdministrators define request templates in Settings, specifying the request type, required event fields, and instructions for the requester.\u003c/p\u003e\n"],["\u003cp\u003ePlaybooks can be created to automate the processing of requests, exemplified by a scenario where a request for Salesforce permissions triggers an Active Directory update and requires admin approval.\u003c/p\u003e\n"],["\u003cp\u003ePending request actions are visible and can be managed from multiple locations, including the Cases screen and the Homepage's Pending Actions tab, with different interaction options for standard and collaborator users.\u003c/p\u003e\n"]]],[],null,["Create user requests \nSupported in: \nGoogle secops [SOAR](/chronicle/docs/secops/google-secops-soar-toc) \nThis document explains how to create a specific request template and show\nthe end-to-end flow from a user submitting the request to a playbook\nautomatically handling the case.\n\nYou can define requests for end users to select directly from the\n**Homepage**. These requests serve as an internal ticketing system,\nletting different teams like IT and the Security Operations Center (SOC), or\nan MSSP and an end user---to communicate more efficiently.\n\nEach request can be handled in one of two ways:\n\n- Manually by an analyst.\n- Automatically by a playbook, which streamlines the entire process.\n\nYou can define requests that users can select on the homepage. An analyst can handle each request manually or a playbook can automate them, where the platform serves as an internal ticketing system. Each request enters the platform as a case with the label **Request**.\n\nExamples of such requests include the following:\n\n- **Blocking malicious IPs**\n- **Optimizing SIEM rules**\n- **Onboarding a new user**\n\nThis document demonstrates how to create a request template and shows the end-to-end flow.\n\nAdd permissions for internal users\n\nUse case: A SOC Manager wants to grant their SOC team permission to open a request to add permissions for internal users to Salesforce. This section explains how to:\n\n- [Define a request](#firstanchor)\n- [Build a playbook](#build-playbook)\n\n**Define a request**\n\nGoogle recommends that you plan which requests can be\nautomated and how to build the accompanying playbook.\n\nTo define a request for Salesforce\npermissions:\n\n1. Go to **Settings \\\u003e Environments \\\u003e Requests**.\n2. Click add **Add Requests**.\n3. In the **Add Request Flow** dialog, enter a logical name and select an environment.\n4. Select a **Request Type** . \n This category determines which entities display in the **Event Fields** list. For this use case, choose request type **Login**.\n5. **Event Fields** provide a way for the platform to recognize the incoming case request and perform the appropriate \"mapping and modelling\" behind the scenes.\n6. In the **Event Fields** section, manually enter a field name and then select the field type (for example, `email` or `string`).\n7. In the **Watermark** field, add an instruction for the requester which explains what they need to add here.\n8. In the **Raw event field** list, you can choose to use an event field to bring in a raw event or use entities that you can use in playbooks later. This example uses the **Username** and **SourceUserName** entities.\n9. Click **Add**.\n\nBuild a playbook\n\nThe following procedure shows how to build a playbook that automatically\nruns when the new case request enters the platform.\n\n1. Create a new playbook with an appropriate name and environment.\n2. Select the **Alert Type Trigger** and set the condition to **Equals to** and the value to the request template you created. In this case, **Salesforce Permission Approvals**.\n3. Add the active directory: **Enrich\n Entities** to get more information about the user.\n4. Add the **Active Directory: Add User to Group** action and set these parameters:\n - Action Type: **Manual**. The playbook stops running and waits for further instructions.\n - Assign To: **Administrator** Assign the step to a specific user or a SOC role, such as **Administrator** . The pending action is then displayed on the homepage and in the **Case View**.\n - Message to Assignee: This message appears as part of the pending action details. For example, enter **Please approve or decline permission for user\n \\[Entity.Identifier\\] to Salesforce group.**\n - Time to respond: Enable this timer and give the assigned user a day to respond.\n5. Add the **Siemplify Close Case** action. This action closes the playbook after the administrator approves or declines the request.\n\nThe request is now created with the corresponding playbook.\n\nApprove the request\n\nThe user chooses a request. For details, see [fill out a request from Your Workdesk.](/chronicle/docs/soar/overview-and-introduction/your-workdesk/filling-out-request-from-workdesk). After a user submits the request selection, it enters the system as a **Request Case**. The playbook then waits for the administrator's input to continue.\n\nYou can see the pending request and approve it in three separate places within the platform:\n\n- **Cases** : Under the correct alert, click the **Playbooks** tab and click **Execute** in the side drawer to approve the request.\n- **Cases \\\u003e Overview** : Click **Execute** in the appropriate widget.\n- **Homepage** : Click the **Pending Actions** tab, select **Required Pending Action** , and click **Execute** to approve the request.\n\n| **Note:** Standard users see the **Execute** and **Skip** options. The collaborator user sees **Approve** and **Decline** and is prompted to provide a reason if they decline the action.\n\n**Need more help?** [Get answers from Community members and Google SecOps professionals.](https://security.googlecloudcommunity.com/google-security-operations-2)"]]
