Explore the alert overview tab

This document serves as a reference for the Alert Overview tab, the central interface for triaging alerts within a case. Once you select an alert in a case, the system displays its Alert Overview tab. If the case contains only one alert, you are taken directly to this tab.

Alert Overview widgets

The Alert Overview tab displays important information about the alert using specific widgets. The information displayed varies based on the alert type, and you can execute actions directly from this tab.

Explore tab widgets

The alert view may include the following widgets, based on the view configured:

• Alerts table: View a summary of case alerts. Click View Details to see more information. If you're a Google Security Operations customer, click Explore to be redirected to the Asset page to perform more actions. For more information, see Investigation views. 
• Custom fields form: Enter the relevant information in the custom fields defined here. Click editEdit to open the form.
• Pending Actions: View all actions awaiting your input to keep the playbook running.
• Quick Actions: This widget lets you quickly execute predefined actions directly from the Alert Overview tab.
• JSON results: View a JSON result in the system.
• Entity Highlights: View entities associated with the alert.
• If you're a Google SecOps customer, click Explore to be redirected to the alert Asset page to perform more actions. The page you land on depends on the type of entity. For more information, see Investigation views.
• If you need more detailed information before taking action, click the entity to go to the Entity Explorer page and view its full details.
• To have a quick look prior to taking action, click View Details and a side drawer opens with the entity's highlights.
• To run a specific action on an entity, you can click settings Manual Action and create a manual action from here.

• Events table: View all alert events and their properties. Click any of the table rows to open a side drawer to see events details.
• HTML: View the HTML code that contains relevant information from the playbook results.
• Free text: View administrator-defined information.
• Key value: View and display specific details from various sources; for example,

  Key-Product Value- [Alert.Product]

• Entities Graph: View a visual graph and other case entity details. Click an entity and a side drawer opens.
• Composite Detections: Available only to Google SecOps customers who use both SIEM and SOAR. This widget helps you understand the components of alerts within a case. For composite alerts (generated by chained rules), the widget displays the contributing detections and alerts, along with their detailed Unified Data Model (UDM) events. For single, non-composite alerts, it shows the specific UDM events associated with that alert. This lets you examine the structure of an alert and its causes.

The display you see in the Alert Overview tab depends on a variety of factors:

• If no playbook is attached to the alert, the default display is defined by the administrator in SOAR Settings. For more information, see Define default alert view.
• If a playbook is present, but the customized views don't include your role, your default display appears.
• If the attached playbook has a specific view for your role, the customized view displays. For more information, see Define customized alert views from Playbook Designer.