A Service Level Agreement (SLA) represents a commitment by the SOC to perform
specific tasks, such as investigation or remediation of specific cases within
a specified duration of time.
SLA Types:
Alert SLA: the maximum committed time for closing an alert. Alert SLA is
mainly based on alert attributes (Alert Type, Alert Priority, etc.), but
can also be based on other attributes (such as case attributes).
Case SLA: the maximum committed time for closing a case. Case SLA is
mainly based on case attributes (Case Stage, Case Priority, etc.), but can
also be based on other attributes (such as alert attributes).
An SLA can be configured for an Alert, a Case, or both.
When configuring an SLA to an alert, the start time of the SLA begins when the
alert is created.
When configuring an SLA to a case, the start time of the SLA begins when the
case is created. However, when the SLA is configured by Case Stage, the start
time begins at the start of the stage.
An SLA can be configured directly through the Settings or it can be configured
using a Playbook action in a Playbook or a Playbook Block to run
automatically.
If there are multiple SLA rules set for a Case, the SLA that
will take first priority is the one that was set by the playbook action. If no
playbook action has been set, the Case Stage SLA will be used. If no Case
Stage SLA has been set, the Case Priority SLA will be used.
If there are multiple SLA rules that are set for an Alert,
the SLA that will take first priority is the one that was set by the playbook
action. If no playbook action has been set, the Alert Type SLA will be
used. If no Alert Type SLA has been set, the Alert Priority SLA will be used.
To add an SLA:
Navigate to Settings > Environments > SLA.
Click
add
on the top right of the screen.
Select whether the SLA will be configured by an alert type (either all
alerts or specific ones), an alert priority (e.g. informative, low) , a case
stage (e.g. triage, investigation), or a case priority (e.g. informative,
low).
Add the time frames for the SLA Period (the amount of time that can pass
before SLA is breached) and the SLA Time to Critical Period (time before SLA enters
the critical phase). In the example below, the SLA Period is set to 10
minutes and the SLA Time to Critical Period is set to 6 minutes, which means that
the actual Critical Period will last for 4 minutes.
Click Add.
SLA Status:
In the Cases tab, an SLA that is created for a Case is indicated by an
hourglass with the letter "C" next to it. If the SLA was created for
an Alert, it will be indicated by an hourglass with the letter "A"
next to it. The color of the SLA indicates its status.
A green countdown timer indicates an active Case SLA at the top of the
screen of the selected Case.
For cases with multiple alerts, the Alerts icon in the Cases header in the
Cases screen will display all of the Alert SLAs in one popover. Each Alert SLA
can be clicked on to view the individual alert.
Pause and resume an SLA
To provide flexibility during investigations, SLAs can be paused for extra
research time or when waiting on information from external sources. Alert and
Case SLAs can be paused or resumed independently; pausing one won't affect the
other. All pause and resume events are recorded on the Case Wall.
Pause and resume an Alert SLA
To pause an Alert SLA, do the following:
In the Cases page, select the case containing the relevant
alert.
In the alert tab, click
more_vert
Alert Options.
Select Pause alert SLA.
Optional: In the Pause alert SLA dialog that appears,
enter a reason for pausing the SLA.
Click Pause.
A gray hourglass in the alert tab indicates that the SLA is paused. A
tooltip also indicates the paused status. Additionally, the Alerts icon in
the case top bar, which displays all Alert SLAs in a popover, will show a
gray countdown timer that has stopped ticking for the paused Alert SLA.
To resume the Alert SLA, do the following:
Click
more_vert
Alert Options.
Select Resume alert SLA.
The green hourglass in the alert tab indicates that the SLA is running again.
The Alerts icon in the case top bar also shows a countdown timer that has
resumed ticking for the resumed Alert SLA.
Pause and resume a Case SLA
To pause a Case SLA, do the following:
Go to the Cases page and choose the relevant case.
In the case top bar, click
format_list_bulleted
Case Actions.
Select Pause Case SLA.
Optional: In the Pause Case SLA dialog that appears,
enter a reason for pausing the SLA.
Click Pause.
The gray Case SLA timer in the case top bar indicates that the SLA is paused.
A tooltip also indicates the paused status.
To resume a paused Case SLA, do the following:
In the case top bar, click
format_list_bulleted
Case Actions.
Select Resume Case SLA.
The green Case SLA timer, along with its resumed countdown, indicates that
it's running again.
[[["Easy to understand","easyToUnderstand","thumb-up"],["Solved my problem","solvedMyProblem","thumb-up"],["Other","otherUp","thumb-up"]],[["Hard to understand","hardToUnderstand","thumb-down"],["Incorrect information or sample code","incorrectInformationOrSampleCode","thumb-down"],["Missing the information/samples I need","missingTheInformationSamplesINeed","thumb-down"],["Other","otherDown","thumb-down"]],["Last updated 2025-08-29 UTC."],[[["\u003cp\u003eService Level Agreements (SLAs) in Google SecOps define the time commitment for the SOC to complete tasks, such as investigating or remediating alerts and cases.\u003c/p\u003e\n"],["\u003cp\u003eThere are two main SLA types: Alert SLA, which is based on alert attributes and defines the maximum time to close an alert, and Case SLA, which is based on case attributes and defines the maximum time to close a case.\u003c/p\u003e\n"],["\u003cp\u003eSLAs can be configured for alerts, cases, or both, and the start time for an Alert SLA is when the alert is created, while the start time for a Case SLA is when the case is created or when the case enters a specific stage.\u003c/p\u003e\n"],["\u003cp\u003eSLAs can be set directly through Settings or via Playbook actions, and if multiple SLA rules exist for a case or alert, the one set by a playbook action takes priority, followed by stage/type, and then priority.\u003c/p\u003e\n"],["\u003cp\u003eThe SLA status for Cases and Alerts are visualized by an hourglass icon with "C" or "A", respectively, and for Alerts, there is an option to pause and resume, however, there is not an option to pause a case SLA.\u003c/p\u003e\n"]]],[],null,["# Setting the SLA\n===============\n\nSupported in: \nGoogle secops [SOAR](/chronicle/docs/secops/google-secops-soar-toc) \n\nA Service Level Agreement (SLA) represents a commitment by the SOC to perform\nspecific tasks, such as investigation or remediation of specific cases within\na specified duration of time.\n\n**SLA Types:**\n\n-\n Alert SLA: the maximum committed time for closing an alert. Alert SLA is\n mainly based on alert attributes (Alert Type, Alert Priority, etc.), but\n can also be based on other attributes (such as case attributes).\n\n-\n Case SLA: the maximum committed time for closing a case. Case SLA is\n mainly based on case attributes (Case Stage, Case Priority, etc.), but can\n also be based on other attributes (such as alert attributes).\n\nAn SLA can be configured for an Alert, a Case, or both.\n\n\nWhen configuring an SLA to an alert, the start time of the SLA begins when the\nalert is created.\n\n\nWhen configuring an SLA to a case, the start time of the SLA begins when the\ncase is created. However, when the SLA is configured by Case Stage, the start\ntime begins at the start of the stage.\n\n\nAn SLA can be configured directly through the Settings or it can be configured\nusing a Playbook action in a Playbook or a Playbook Block to run\nautomatically.\n\n\n[](/static/chronicle/images/soar/settingsla1.png)\n\n\u003cbr /\u003e\n\n\nIf there are multiple SLA rules set for a **Case**, the SLA that\nwill take first priority is the one that was set by the playbook action. If no\nplaybook action has been set, the Case Stage SLA will be used. If no Case\nStage SLA has been set, the Case Priority SLA will be used.\n\n\nIf there are multiple SLA rules that are set for an **Alert**,\nthe SLA that will take first priority is the one that was set by the playbook\naction. If no playbook action has been set, the Alert Type SLA will be\nused. If no Alert Type SLA has been set, the Alert Priority SLA will be used.\n\n**To add an SLA**:\n\n1. Navigate to Settings \\\u003e Environments \\\u003e SLA.\n2. Click add on the top right of the screen.\n3. Select whether the SLA will be configured by an alert type (either all alerts or specific ones), an alert priority (e.g. informative, low) , a case stage (e.g. triage, investigation), or a case priority (e.g. informative, low).\n4. Add the time frames for the SLA Period (the amount of time that can pass before SLA is breached) and the SLA Time to Critical Period (time before SLA enters the critical phase). In the example below, the SLA Period is set to 10 minutes and the SLA Time to Critical Period is set to 6 minutes, which means that the actual Critical Period will last for 4 minutes.\n\n [](/static/chronicle/images/soar/settingsla2.png)\n\n \u003cbr /\u003e\n\n5. Click Add.\n\n**SLA Status**:\n\n\nIn the Cases tab, an SLA that is created for a Case is indicated by an\nhourglass with the letter \"C\" next to it. If the SLA was created for\nan Alert, it will be indicated by an hourglass with the letter \"A\"\nnext to it. The color of the SLA indicates its status.\n\nA green countdown timer indicates an active Case SLA at the top of the\nscreen of the selected Case.\n\n\n[](/static/chronicle/images/soar/settingsla3.png)\n\n\u003cbr /\u003e\n\n\nFor cases with multiple alerts, the Alerts icon in the Cases header in the\nCases screen will display all of the Alert SLAs in one popover. Each Alert SLA\ncan be clicked on to view the individual alert.\n\n\n[](/static/chronicle/images/soar/settingsla4.png)\n\n\u003cbr /\u003e\n\nPause and resume an SLA\n-----------------------\n\nTo provide flexibility during investigations, SLAs can be paused for extra\nresearch time or when waiting on information from external sources. Alert and\nCase SLAs can be paused or resumed independently; pausing one won't affect the\nother. All pause and resume events are recorded on the **Case Wall**.\n\n### Pause and resume an Alert SLA\n\nTo pause an Alert SLA, do the following:\n\n1. In the **Cases** page, select the case containing the relevant alert.\n2. In the alert tab, click more_vert **Alert Options**.\n3. Select **Pause alert SLA**.\n4. Optional: In the **Pause alert SLA** dialog that appears, enter a reason for pausing the SLA.\n5. Click **Pause**.\n\n\nA gray hourglass in the alert tab indicates that the SLA is paused. A\ntooltip also indicates the paused status. Additionally, the Alerts icon in\nthe case top bar, which displays all Alert SLAs in a popover, will show a\ngray countdown timer that has stopped ticking for the paused Alert SLA.\n\nTo resume the Alert SLA, do the following:\n\n1. Click more_vert **Alert Options**.\n2. Select **Resume alert SLA**.\n\nThe green hourglass in the alert tab indicates that the SLA is running again.\nThe Alerts icon in the case top bar also shows a countdown timer that has\nresumed ticking for the resumed Alert SLA.\n\n### Pause and resume a Case SLA\n\nTo pause a Case SLA, do the following:\n\n1. Go to the **Cases** page and choose the relevant case.\n2. In the case top bar, click format_list_bulleted **Case Actions**.\n3. Select **Pause Case SLA**.\n4. Optional: In the **Pause Case SLA** dialog that appears, enter a reason for pausing the SLA.\n5. Click **Pause**.\n\nThe gray Case SLA timer in the case top bar indicates that the SLA is paused.\nA tooltip also indicates the paused status.\n\nTo resume a paused Case SLA, do the following:\n\n1. In the case top bar, click format_list_bulleted **Case Actions**.\n2. Select **Resume Case SLA**.\n\nThe green Case SLA timer, along with its resumed countdown, indicates that\nit's running again.\n| **Note:** When a case is closed, the Case SLA is automatically paused. When a case is reopened, the Case SLA is automatically resumed.\n\n**Need more help?** [Get answers from Community members and Google SecOps professionals.](https://security.googlecloudcommunity.com/google-security-operations-2)"]]
