Cases overview

Google Security Operations ingests alerts from a variety of sources. Each alert is ingested with its underlying base security events. Those security events are analyzed, and their indicators, such as sources, destinations, and artifacts, are extracted into objects called entities. Each entity stored in the platform collects data on it, including comments, enrichment data, and reports, letting analysts review this history when handling future cases involving that entity. The same entities are also placed on the canvas for the visual representation of the threat.

The Cases page provides analysts a way to investigate incoming security alerts and safeguard workstations. Cases are generated by alerts from the SIEM platform. Further alerts linked to the same entities may be grouped into an existing case based on a flexible configuration. In addition, analysts can create manual cases and simulated cases and ingest specific data.

A list of cases ingested into the system from the various connectors appears in the case queue, located on the left side of the page. The case queue displays the cases with their basic details, such as case name, case timestamp, case ID number (unique to each case), the number of associated alerts, and a thumbnail of the analyst handling the case. Cases in the queue appear in the default view or the compact view.

The analyst can also switch to List View, for a tabler-based Overview of all the cases to be worked on.

The Case Top Bar displays important identifying information as well as actions that can be performed on cases. The left side of the Case Top Bar displays the case title, ID, priority, stage, timestamp, and the Manage tags feature, which shows any tags associated with the case. The right side of the Case Top Bar displays the analyst's name or role, Chat, Close Case, Refresh, Explore, and the Case Actions menu. For more information, see What's on the Cases page?

The Case Overview tab displays information relevant to the case, based on widgets that can be configured by the administrator. For more information, see What's on the Case Overview tab?. The Case Wall tab is a case event log that contains all the case information since it was created until it is closed. For more information, see What's on the Case Wall tab? Alerts attached to the case are displayed in the Alert Overview tab. This tab displays crucial information and events associated with the case.

Playbooks are a defined set of actions that gather information about the alerts from internal and external sources and take appropriate decisions on how to proceed with them or conduct an operation on a remote system, such as blocking a firewall port or disabling an Active Directory user. Google SecOps performs these actions automatically or semi-automatically based on the playbook triggers on any alert ingestion.

The case queue is automatically refreshed every minute. You can also refresh the case queue items manually, sort them as required, use filters to narrow your case queue items, add cases to the existing queue, and close cases.