Once you select an alert in a case, you're taken to its alert
Overview tab. If only one alert is attached to the case, you're
taken directly to the alert Overview tab.
Explore tab widgets
The alert Overview tab displays important information about the alert
in the form of various widgets. The information displayed depends on the
type of alert. You can also take action based on the information in this tab.
The alert view may include the following widgets depending on the view
configured:
Alerts table: View a summary of case alerts. Click
View Details to see more information. If you're a
Google Security Operations customer, click Explore to be redirected to the
Asset page to perform more actions. For more information, see
Investigation views.
Custom fields form: You need to enter the relevant
information in the custom fields defined here. Click
editEdit to open the form.
Pending Actions: Quickly view all actions awaiting your input
to keep the playbook running.
Quick Actions: This widget lets you quickly execute
predefined actions directly from the Alert Overview.
Entity Highlights: View entities associated with the alert.
If you're a Google SecOps customer, click
Explore to be redirected to the alert Asset page to
perform more actions. The page you land on depends on the type of entity.
\For more information, see
Investigation views.
If you need more detailed information before taking action, click the
entity to go to the Entity Explorer page and view its full details.
To have a quick look prior to taking action, click View Details
and a side drawer opens with the entity's highlights.
To run a specific action on an entity, you can click
settings
Manual Action and create a manual action from here.
Events table: View all alert events and their
properties. Click any of the table rows to open a side drawer to see
events details.
HTML: View the HTML code that contains relevant
information from the playbook results.
Key value: View and display specific details from various
sources; for example,
Key-Product Value- [Alert.Product]
Entities Graph: View a visual graph and other case entity
details. Click an entity and a side drawer opens.
Composite Detections: Available only to
Google SecOps customers who use both SIEM and SOAR. This widget
helps you understand the components of alerts within a case. For
composite alerts (generated by
chained rules), the
widget displays the contributing detections and alerts, along with their
detailed UDM events. For single, non-composite alerts, it shows the specific
UDM events associated with that alert. This lets you examine the
structure of an alert and its causes.
The display you see in the alert Overview tab depends on a variety of
factors:
If there's no playbook attached to the alert, the default display is defined
by the administrator in SOAR Settings. For more information, see
Define default alert view.
If there's a playbook present, but the customized views don't include your
role, your default display appears.
[[["Easy to understand","easyToUnderstand","thumb-up"],["Solved my problem","solvedMyProblem","thumb-up"],["Other","otherUp","thumb-up"]],[["Hard to understand","hardToUnderstand","thumb-down"],["Incorrect information or sample code","incorrectInformationOrSampleCode","thumb-down"],["Missing the information/samples I need","missingTheInformationSamplesINeed","thumb-down"],["Other","otherDown","thumb-down"]],["Last updated 2025-08-29 UTC."],[[["\u003cp\u003eThe Alert Overview tab provides a comprehensive view of an alert, featuring various widgets that display relevant information and allow for immediate actions.\u003c/p\u003e\n"],["\u003cp\u003eUsers can access different widgets within the Alert Overview tab, including Alerts Table, Custom Fields Form, Pending Actions, JSON Results, Entity Highlights, Events Table, HTML, Free Text, Key Value, and Entities Graph.\u003c/p\u003e\n"],["\u003cp\u003eThe content of the Alert Overview tab is dynamic, depending on the presence of an attached playbook and whether the user's role is included in any customized views.\u003c/p\u003e\n"],["\u003cp\u003eIf there is a missing playbook attached to the alert, the default display defined by the administrator in the SOAR settings will be shown.\u003c/p\u003e\n"],["\u003cp\u003eIf available, Google SecOps customers can click "Explore" on alerts or entities to be redirected to the Asset page for more detailed actions.\u003c/p\u003e\n"]]],[],null,["# View alert overview tab\n=======================\n\nSupported in: \nGoogle secops [SOAR](/chronicle/docs/secops/google-secops-soar-toc) \nOnce you select an alert in a case, you're taken to its alert\n**Overview** tab. If only one alert is attached to the case, you're\ntaken directly to the alert **Overview** tab.\n\nExplore tab widgets\n-------------------\n\n\nThe alert **Overview** tab displays important information about the alert\nin the form of various widgets. The information displayed depends on the\ntype of alert. You can also take action based on the information in this tab.\n\n\nThe alert view may include the following widgets depending on the view\nconfigured:\n\n- **Alerts table** : View a summary of case alerts. Click **View Details** to see more information. If you're a Google Security Operations customer, click **Explore** to be redirected to the **Asset** page to perform more actions. For more information, see [Investigation views](/chronicle/docs/investigation/investigation-views).\n- **Custom fields form:** You need to enter the relevant information in the custom fields defined here. Click edit**Edit** to open the form.\n- **Pending Actions**: Quickly view all actions awaiting your input to keep the playbook running.\n- **Quick Actions**: This widget lets you quickly execute predefined actions directly from the Alert Overview.\n- **JSON results** : View a [JSON](https://en.wikipedia.org/wiki/JSON) result in the system.\n- **Entity Highlights**: View entities associated with the alert.\n- If you're a Google SecOps customer, click **Explore** to be redirected to the alert **Asset** page to perform more actions. The page you land on depends on the type of entity. \\\\For more information, see [Investigation views](/chronicle/docs/investigation/investigation-views).\n- If you need more detailed information before taking action, click the entity to go to the **Entity Explorer** page and view its full details.\n- To have a quick look prior to taking action, click **View Details** and a side drawer opens with the entity's highlights.\n- To run a specific action on an entity, you can click settings **Manual Action** and create a manual action from here.\n\n\u003c!-- --\u003e\n\n- **Events table**: View all alert events and their properties. Click any of the table rows to open a side drawer to see events details.\n- **HTML**: View the HTML code that contains relevant information from the playbook results.\n- **Free text**: View administrator-defined information.\n- **Key value** : View and display specific details from various sources; for example, \n\n ```\n Key-Product Value- [Alert.Product]\n ```\n- **Entities Graph**: View a visual graph and other case entity details. Click an entity and a side drawer opens.\n- **Composite Detections** : Available only to Google SecOps customers who use both SIEM and SOAR. This widget helps you understand the components of alerts within a case. For composite alerts (generated by [chained rules](/chronicle/docs/detection/rule-chaining)), the widget displays the contributing detections and alerts, along with their detailed UDM events. For single, non-composite alerts, it shows the specific UDM events associated with that alert. This lets you examine the structure of an alert and its causes.\n\n\nThe display you see in the alert **Overview** tab depends on a variety of\nfactors:\n\n- If there's no playbook attached to the alert, the default display is defined by the administrator in **SOAR Settings** . For more information, see [Define default alert view](/chronicle/docs/soar/investigate/working-with-alerts/define-default-alert-view-admin).\n- If there's a playbook present, but the customized views don't include your role, your default display appears.\n- If the playbook attached has a specific view for your role, the customized view displays. For more information, see [Define customized alert views from playbook designer](/chronicle/docs/soar/respond/working-with-playbooks/define-customized-alert-views-from-playbook-designer).\n\n**Need more help?** [Get answers from Community members and Google SecOps professionals.](https://security.googlecloudcommunity.com/google-security-operations-2)"]]
