Manage custom fields

Supported in:

Google secops Soar

Administrators can create custom fields to add specific information to cases and alerts. These custom fields can be added to a Custom Fields Form widget, which defines the default views for cases and alerts. Analysts can enter information to the Custom Fields Form widget directly within cases and alerts, depending on the custom field's scope. This widget is available in the Overview tab of cases and alerts.

This document explains how to create and manage custom fields, including how to use custom fields in advanced reports.

Create a custom field

The Admin can create a maximum of 1000 different custom fields. The "Scope", "Type", and "Name" of a custom field can't be modified after the custom field is saved. To create a custom field, do the following:

Go to SOAR Settings > Case Data > Custom Fields.
Click Add Add to create a new custom field.
Select Scope and then select Case, Alert, or All (both). The Scope field is required and can't be changed after the custom field is created.
Select Name. The Name field is required and can't be changed after the custom field is created.
Select a custom field Type from the list:
- Free Text: Allows any text input with a limit of 1,024 characters.
- Radio Button: A radio button with two options.
- Single Select: A list with a single selected option. Supports a maximum of 1024 characters, with each option name limited to 255 characters.
- Multi Select: A list with multiple selected options. Supports a maximum of 1024 characters, with each option name limited to 255 characters.
- Calendar: A date and time field.
Select Save.

Use case: use custom fields to enhance phishing resistance

This use case outlines the steps for defining three custom fields: a radio button, a single-select drop-down list, and a calendar, and adding them to the Custom Field Form widget to enrich the default alert view with additional information related to phishing alerts.

Go to SOAR Settings > Case Data > Custom Fields.
Select Add Add to create a new custom field.
Under Scope select Alert.
In the Name field, enter False Positive.
From the Type drop-down list, select Radio Button.
In the Options field, type True Positive for the first radio button, then press Enter. Enter False Positive for the second radio button, and press Enter again.
Select Save.
Select Add Add to create a new custom field.
Under Scope, select Alert.
In the Name field, enter the name User Action.
From the Type drop-down list, select Single Select.
In the Options field, type Clicked, press Enter, type Reported, press Enter; then type Ignored, and press Enter.
Select Save.
Select Add Add to create a new custom field.
Under Scope select Alert.
In the Name field, enter Report Time.
From the Type drop-down list, select Calendar.
Select Save.

Add the custom fields to the custom field widget–alert level

After defining custom fields, you can add them to the custom field widget. Each widget can hold up to 50 custom fields. Building on the earlier example, the following steps outline how to add the three custom fields created in the previous section to the Custom Field Form widget.

Go to SOAR Settings > Case Data > Views > Default Alert View. The Default Alert View pain opens, showing the widgets appearing in the Default Alert View.
In the General tab, drag the Custom Fields Form widget to the Default Alert View pane.
Select Settings Configuration in the Custom Fields Form widget to open the widget settings.
in the Widget Title field, enter True or False Positive Alert.
Select Manage Custom Fields.
Select the False Positive, User Action and Report Time checkboxes, and then click Save. The custom fields are added to the Custom Field Form widget.
Turn on the Mandatory toggle.
Select Save to save the configuration and close the window.
Click Save View.

Use the Custom Fields Form widget

After you add custom fields to the Custom Fields Form widget, it appears in the Overview tab of cases and alerts, where analysts can enter the required information. Based on the previous example, do the following:

In the Alert Overview tab, select the Custom Fields widget, and click .
Fill in the appropriate information for the three custom fields:
- In the False Positive custom field, select the appropriate radio button to indicate whether the alert is a true positive or a false positive.
- In the User Action custom field, select the appropriate User action from the drop-down list: Clicked, Reported, or Ignored.
- In the Report Time custom field, select the date the alert was reported.
Click Save.

Use custom fields in playbooks

You can use the custom fields you define on this page as part of playbook actions and placeholders. For more information on playbook actions, see Marketplace Integrations Siemplify.

Placeholders for custom fields

Custom fields are available under the **Custom Fields** placeholder category. The format for these placeholders is as follows:

\[AlertCustom.{custom field name}\]
\[CaseCustom.{custom field name}\]

Use custom fields in advanced reports

Custom fields created for cases can be used in advanced reports to gain deeper insights from your data.

Note: Advanced reports support only custom fields that have a Case scope.

Create custom fields for single-select values in Looker

To reference a single-select custom field (for example, "Country") in a Looker report, use the following LookML formula as a calculated field:


    if(
      contains(${vw_cases_custom_values.custom_field_json},"\"Country\":"),
      replace(
      replace(
      replace(
        if(position(
          replace(
            ${vw_cases_custom_values.custom_field_json},
            substring(
              ${vw_cases_custom_values.custom_field_json},
              0,
              ( position(
                ${vw_cases_custom_values.custom_field_json},
                "\"Country\":")
                +
                length("\"Country\":")
              )
            ),
            ""
          ),
          "\","
        )>0,

        substring(
          replace(
            ${vw_cases_custom_values.custom_field_json},
            substring(
              ${vw_cases_custom_values.custom_field_json},
              0,
              ( position(
                ${vw_cases_custom_values.custom_field_json},
                "\"Country\":")
                +
                length("\"Country\":")
              )
            ),
            ""
          ),
          0,
          position(
            replace(
              ${vw_cases_custom_values.custom_field_json},
              substring(
                ${vw_cases_custom_values.custom_field_json},
                0,
                ( position(
                  ${vw_cases_custom_values.custom_field_json},
                  "\"Country\":")
                  +
                  length("\"Country\":")
                )
              ),
              ""
            ),
            "\","
          )
        ),
        replace(
          ${vw_cases_custom_values.custom_field_json},
          substring(
            ${vw_cases_custom_values.custom_field_json},
            0,
            ( position(
              ${vw_cases_custom_values.custom_field_json},
              "\"Country\":")
              +
              length("\"Country\":")
            )
          ),
          ""
        )),
        " \"",
        ""
      ),
      "\"",
      ""
    ),
    "}",""),
    null
    )

Tip: To use this formula for a different single-select custom field, replace all instances of "Country" with the exact name of your custom field.

Create custom fields for multi-select values in Looker

To reference a multi-select custom field (for example, "Department") in a Looker report, use the following LookML formula as a calculated field:


    if(contains(${vw_cases_custom_values.custom_field_json},"\"Department\""),

    substring(

    replace(
    replace(

    substring(${vw_cases_custom_values.custom_field_json},
    position(
    ${vw_cases_custom_values.custom_field_json},
    "\"Department\""),length(${vw_cases_custom_values.custom_field_json}))


    ,"\", \"Department\":\"",","),

    "\"Department\":\"","")


    ,0, position(replace(
    replace(

    substring(${vw_cases_custom_values.custom_field_json},
    position(
    ${vw_cases_custom_values.custom_field_json},
    "\"Department\""),length(${vw_cases_custom_values.custom_field_json}))


    ,"\", \"Department\":\"",","),

    "\"Department\":\"",""),"\"")-1)

    , null)

Tip: To use this formula for a different multi-select custom field, replace all instances of "Department" with the exact name of your custom field.

Filter custom fields in Looker

Filtering in Looks:

To filter both single-select and multi-select custom fields in a Look, you can directly use the custom dimension field created with the preceding formulas.

Filtering on Dashboards:

To filter custom fields on dashboards, you must reference the underlying JSON value from the Explore and use the appropriate values in the filter.

Single-select fields: For example, to filter for Cases where the Country custom field is China, you might use the filter condition: %"Country": "China"% (the exact syntax might vary slightly depending on the Looker version).
Multi-select fields: To filter multi-select fields on dashboards, reference and use the JSON value and using appropriate syntax, which can vary based on your filtering needs (for example, matching any or all selected values).

What's next

Need more help? Get answers from Community members and Google SecOps professionals.