Create a manual case

Supported in:

You can manually create a case to enter specific data. This is useful when you need to ingest information on an alert; for example, information that was reported from sources that aren't integrated with your detection pipeline (for example, alerts reported from non-cyber channels). 

  1. On the Cases page, click add Add > Create Manual Case.
  2. Enter the following case properties:
    • Case Title: Enter a title for the new case.
    • Creation Reason: Enter the reason for creating the case. 
    • Environment: Select the specific environment being monitored.
    • Assigned To: Assign the case to a specific role or user.
    • Priority: Set the priority level for the case.
    • Mark as Important: Click the Mark as important toggle on if the case should be flagged as important.
  3. Click Next.
  4. In the Alert step, enter the following alert information:
    • Alert Name: Enter a name for the security alert.
    • Occurrence Time: In the calendar, select the date and time the alert occurred.
    • SLA: Specify a date and time by which the SOC team should resolve the case.
  5. Click Next
  6. In Entities, select any required existing entities, as follows; you can:
    • Add an existing entity or create a new one with a corresponding identifier.
    • Mark an entity as suspicious (this highlights it in red).
  7. Click Next
  8. In Tags, select any existing tags, create new tags, or leave blank, according to your needs.
  9. Click Next.
  10. In Playbooks, select any relevant playbooks to be attached to the alerts.
  11. Click Finish.

Need more help? Get answers from Community members and Google SecOps professionals.