You can manually create a case to enter specific data. This is useful when you
need to ingest information on an alert; for example, information that was reported
from sources that aren't integrated with your detection pipeline (for example,
alerts reported from non-cyber channels).
On the Cases page, click
add
Add > Create Manual Case.
Enter the following case properties:
Case Title: Enter a title for the new case.
Creation Reason: Enter the reason for creating the case.
Environment: Select the specific environment being
monitored.
Assigned To: Assign the case to a specific role or user.
Priority: Set the priority level for the case.
Mark as Important: Click the Mark as important
toggle on if the case should be flagged as important.
Click Next.
In the Alert step, enter the following alert information:
Alert Name: Enter a name for the security alert.
Occurrence Time: In the calendar, select the date and time the alert occurred.
SLA: Specify a date and time by which the SOC team should resolve the case.
Click Next.
In Entities, select any required existing entities, as follows; you can:
Add an existing entity or create a new one with a corresponding identifier.
Mark an entity as suspicious (this highlights it in red).
Click Next.
In Tags, select any existing tags, create new tags, or leave
blank, according to your needs.
Click Next.
In Playbooks, select any relevant playbooks to be attached
to the alerts.
[[["Easy to understand","easyToUnderstand","thumb-up"],["Solved my problem","solvedMyProblem","thumb-up"],["Other","otherUp","thumb-up"]],[["Hard to understand","hardToUnderstand","thumb-down"],["Incorrect information or sample code","incorrectInformationOrSampleCode","thumb-down"],["Missing the information/samples I need","missingTheInformationSamplesINeed","thumb-down"],["Other","otherDown","thumb-down"]],["Last updated 2025-08-24 UTC."],[[["\u003cp\u003eYou can manually create a case in Google SecOps SOAR to input specific data, such as information from non-cyber sources.\u003c/p\u003e\n"],["\u003cp\u003eCreating a case involves specifying details like the case title, creation reason, environment, assignment, and priority in the initial setup.\u003c/p\u003e\n"],["\u003cp\u003eThe process allows you to input alert information, including the alert name, occurrence time, and service level agreement (SLA).\u003c/p\u003e\n"],["\u003cp\u003eYou can associate existing or new entities with the case and tag them as suspicious or internal network entities.\u003c/p\u003e\n"],["\u003cp\u003eThe final steps include selecting relevant tags and playbooks to be attached to the case and its alerts.\u003c/p\u003e\n"]]],[],null,[]]
