A Service Level Agreement (SLA) represents a commitment by the SOC to perform
specific tasks, such as investigating or remediating a case within
a set timeframe. You can configure SLAs for alerts, cases, or both.
SLA Types
Alert SLA: the maximum time to close an alert. An alert SLA is
mainly based on alert attributes (for example, Alert Type or Alert Priority),
but can also be based on case attributes. The start time begins when the alert is created.
Case SLA: the maximum time to close a case. A Case SLA is
mainly based on case attributes (for example, Case Stage or Case Priority), but can also be based on alert attributes. The start time begins when the case is created, unless the SLA is configured by Case Stage—in which case it begins when the stage starts.
You can configure an SLA in Settings or automatically using a playbook action.
Set SLA priorities
If multiple SLA rules are set, the system follows a clear priority order:
Case SLAs: Playbook action > Case Stage > Case Priority
Alert SLAs: Playbook action > Alert Type >Alert Priority
Add an SLA
To add an SLA, follow these steps:
Go to Settings > Environments > SLA.
Click
add
Add.
Select whether the SLA is based on alert attributes (type or priority) or case attributes (stage or priority).
Define the timeframes for the SLA Period (the time before an SLA is breached)
and the SLA Time to Critical Period (the time before the SLA enters a critical phase). For example, an SLA Period of 10 minutes and an SLA Time to Critical Period of 6 minutes results in a 4-minute critical period.
Click Add.
Interpret an SLA Status
An SLA status is indicated by an hourglass hourglass icon. A C next to the hourglass hourglass icon indicates a Case SLA, while an A indicates an Alert SLA. The icon's color shows its status as follows:
Green: The SLA is active.
Gray: The SLA is paused.
In the Cases tab, a green countdown timer indicates an active case SLA at the top. For cases with multiple alerts, the Alerts icon in the header displays all alert SLAs. Each Alert SLA
can be clicked on to view the individual alert.
Pause and resume an SLA
You can pause SLAs to provide flexibility during investigations. Pausing a
case SLA doesn't affect an alert SLA, and the other way around. All pause and
resume events are recorded on the Case Wall.
Pause an alert SLA
To pause an alert SLA, do the following:
On the Cases page, select the case with the relevant
alert.
In the alert tab, click
more_vert
More > Alert Options.
Select Pause alert SLA.
Optional: In the Pause alert SLA dialog,
enter a reason for pausing the SLA.
Click Pause.
A gray hourglass hourglass in the Alert tab indicates that the SLA is paused and a tooltip also indicates the paused status.
Resume an Alert SLA
To resume the Alert SLA, do the following:
Click
more_vert
MoreAlert Options.
Select Resume alert SLA.
The green hourglass in the Alert tab indicates that the SLA is running again.
The alerts icon in the case top bar also shows a countdown timer that has
resumed ticking for the resumed Alert SLA.
Pause a case SLA
To pause a case SLA, do the following:
On the Cases page, select the relevant case.
Click
format_list_bulleted
Menu > Case Actions.
Select Pause Case SLA.
Optional: In the Pause Case SLA dialog,
enter a reason for pausing the SLA.
Click Pause.
The case SLA timer in the header turns gray and stops.
A tooltip also indicates the paused status.
Resume a case SLA
To resume a paused case SLA, do the following:
In the case top bar, click
format_list_bulleted
Case Actions.
[[["Easy to understand","easyToUnderstand","thumb-up"],["Solved my problem","solvedMyProblem","thumb-up"],["Other","otherUp","thumb-up"]],[["Hard to understand","hardToUnderstand","thumb-down"],["Incorrect information or sample code","incorrectInformationOrSampleCode","thumb-down"],["Missing the information/samples I need","missingTheInformationSamplesINeed","thumb-down"],["Other","otherDown","thumb-down"]],["Last updated 2025-09-04 UTC."],[[["\u003cp\u003eService Level Agreements (SLAs) in Google SecOps define the time commitment for the SOC to complete tasks, such as investigating or remediating alerts and cases.\u003c/p\u003e\n"],["\u003cp\u003eThere are two main SLA types: Alert SLA, which is based on alert attributes and defines the maximum time to close an alert, and Case SLA, which is based on case attributes and defines the maximum time to close a case.\u003c/p\u003e\n"],["\u003cp\u003eSLAs can be configured for alerts, cases, or both, and the start time for an Alert SLA is when the alert is created, while the start time for a Case SLA is when the case is created or when the case enters a specific stage.\u003c/p\u003e\n"],["\u003cp\u003eSLAs can be set directly through Settings or via Playbook actions, and if multiple SLA rules exist for a case or alert, the one set by a playbook action takes priority, followed by stage/type, and then priority.\u003c/p\u003e\n"],["\u003cp\u003eThe SLA status for Cases and Alerts are visualized by an hourglass icon with "C" or "A", respectively, and for Alerts, there is an option to pause and resume, however, there is not an option to pause a case SLA.\u003c/p\u003e\n"]]],[],null,["Set SLA expectations \nSupported in: \nGoogle secops [SOAR](/chronicle/docs/secops/google-secops-soar-toc) \n\nA Service Level Agreement (SLA) represents a commitment by the SOC to perform\nspecific tasks, such as investigating or remediating a case within\na set timeframe. You can configure SLAs for alerts, cases, or both.\n\nSLA Types\n\n-\n **Alert SLA** : the maximum time to close an alert. An alert SLA is\n mainly based on alert attributes (for example, **Alert Type** or **Alert Priority**),\n but can also be based on case attributes. The start time begins when the alert is created.\n\n-\n **Case SLA** : the maximum time to close a case. A Case SLA is\n mainly based on case attributes (for example, `Case Stage` or `Case Priority`), but can also be based on alert attributes. The start time begins when the case is created, unless the SLA is configured by **Case Stage**---in which case it begins when the stage starts.\n\n\nYou can configure an SLA in **Settings** or automatically using a playbook action.\n\nSet SLA priorities\n\n\nIf multiple SLA rules are set, the system follows a clear priority order:\n\n- **Case SLAs** : Playbook action \\\u003e Case Stage \\\u003e Case Priority\n- **Alert SLAs** : Playbook action \\\u003e Alert Type \\\u003eAlert Priority\n\nAdd an SLA\n\nTo add an SLA, follow these steps:\n\n1. Go to **Settings \\\u003e Environments \\\u003e SLA**.\n2. Click add **Add**.\n3. Select whether the SLA is based on alert attributes (type or priority) or case attributes (stage or priority).\n4. Define the timeframes for the **SLA Period** (the time before an SLA is breached) and the **SLA Time to Critical Period** (the time before the SLA enters a critical phase). For example, an **SLA Period** of 10 minutes and an **SLA Time to Critical Period** of 6 minutes results in a 4-minute critical period.\n5. Click **Add**.\n\nInterpret an SLA Status\n\n\nAn SLA status is indicated by an hourglass hourglass icon. A **C** next to the hourglass hourglass icon indicates a **Case** SLA, while an **A** indicates an **Alert SLA**. The icon's color shows its status as follows:\n\n- Green: The SLA is active.\n- Gray: The SLA is paused.\n\n\nIn the **Cases** tab, a green countdown timer indicates an active case SLA at the top. For cases with multiple alerts, the **Alerts** icon in the header displays all alert SLAs. Each Alert SLA\ncan be clicked on to view the individual alert.\n\nPause and resume an SLA\n\nYou can pause SLAs to provide flexibility during investigations. Pausing a\ncase SLA doesn't affect an alert SLA, and the other way around. All pause and\nresume events are recorded on the **Case Wall**.\n\nPause an alert SLA\n\nTo pause an alert SLA, do the following:\n\n1. On the **Cases** page, select the case with the relevant alert.\n2. In the alert tab, click more_vert **More \\\u003e Alert Options**.\n3. Select **Pause alert SLA**.\n4. Optional: In the **Pause alert SLA** dialog, enter a reason for pausing the SLA.\n5. Click **Pause**.\n\n\nA gray hourglass hourglass in the **Alert** tab indicates that the SLA is paused and a tooltip also indicates the paused status.\n\nResume an Alert SLA\n\nTo resume the Alert SLA, do the following:\n\n1. Click more_vert **More** **Alert Options**.\n2. Select **Resume alert SLA**.\n\nThe green hourglass in the **Alert** tab indicates that the SLA is running again.\nThe alerts icon in the case top bar also shows a countdown timer that has\nresumed ticking for the resumed Alert SLA.\n\nPause a case SLA\n\nTo pause a case SLA, do the following:\n\n1. On the **Cases** page, select the relevant case.\n2. Click format_list_bulleted **Menu \\\u003e Case Actions**.\n3. Select **Pause Case SLA**.\n4. Optional: In the **Pause Case SLA** dialog, enter a reason for pausing the SLA.\n5. Click **Pause**.\n\nThe case SLA timer in the header turns gray and stops.\nA tooltip also indicates the paused status.\n\nResume a case SLA\n\nTo resume a paused case SLA, do the following:\n\n1. In the case top bar, click format_list_bulleted **Case Actions**.\n2. Select **Resume Case SLA**.\n\nThe timer turns green and resumes the countdown.\n| **Note:** The case SLA is automatically paused when a case is closed and automatically resumes when the case is reopened.\n\n**Need more help?** [Get answers from Community members and Google SecOps professionals.](https://security.googlecloudcommunity.com/google-security-operations-2)"]]
