This document explains how administrators can configure a unified default view
for all cases shown on the Cases page. This unified view helps analysts
quickly assess and act on the most critical case information.
To define a default view, do the following:
Go to Settings > Case Data > Views > Default Case View
.
Access the Default Case View
The Default Case View editor displays a set of system widgets—some of
which are provided by Google Security Operations Marketplace integrations—and a
layout template where you can place them. Use the editor to build a case overview
that meets your organization's needs.
Customize your view layout
You can customize the layout by dragging widgets from the side pane into the
layout area. Available widgets include the following:
Custom Fields Form: displays any custom fields you've defined.
Analysts can use this section to enter structured case data. Learn how to
create custom fields.
Alerts: displays alert-level information for all alerts
grouped into the case, including alert name, number of events, and priority.
Case Description:
A free-text field for analysts to enter notes or context about the case.
Entities Highlights: displays highlighted fields for each entity associated with the case.
Latest Case Wall Activity: displays recent activities posted to the case wall within a configurable time window.
Pending Actions: Lists all playbook actions that require analyst input to keep the playbook running.
Recommendations: Displays similar cases and suggests
analysts and tags to assign to the case.
Statistics: Displays the distribution of selected entity
fields.
HTML: Supports HTML code to create insights and inject relevant information from playbook results. Gives the option to return safe code without potentially malicious JavaScript.
Key Value: Displays a single key-value pair, such as `Key: Product`, `Value: [Alert.Product]`.
Free Text: Lets you display static free-text content in the case overview.
Entities Graph: Displays a visual graph and details of the case entities.
Insights: Shows insights from playbooks, general logic, or manual analyst input in HTML format.
Quick Actions: Displays action buttons that let
analysts run predefined actions on cases directly from the case
overview. For more information, see Create a Quick Action.
Gemini Summary: Provides an AI-generated case summary and
remediation suggestions.
Composite Detections: Available for users of both Google SecOps SIEM and SOAR. This widget
helps analysts understand the components of alerts within a case. For
composite alerts (from chained rules), this
widget shows:
Contributing detections
Alert lineage
Associated UDM events
For single alerts, it displays only their specific UDM events. This helps analysts understand alert structure and root cause.
Add widgets
To add widgets to the layout, do the following:
Drag a widget from the pane to the template on the right.
You can rearrange the widgets as needed, to create your preferred layout.
Edit widgets
To configure or update a widget:
Click
settings
Configuration. Some widgets offer additional
fields for configuration. For example, in the latest wall activity, you can
specify the timeframe and activity types.
On the Cases page, update the widget title, tooltip, or width (50% or 100%), as needed.
[[["Easy to understand","easyToUnderstand","thumb-up"],["Solved my problem","solvedMyProblem","thumb-up"],["Other","otherUp","thumb-up"]],[["Hard to understand","hardToUnderstand","thumb-down"],["Incorrect information or sample code","incorrectInformationOrSampleCode","thumb-down"],["Missing the information/samples I need","missingTheInformationSamplesINeed","thumb-down"],["Other","otherDown","thumb-down"]],["Last updated 2025-08-29 UTC."],[[["\u003cp\u003eAdministrators can define a default view for all cases on the \u003cstrong\u003eCases\u003c/strong\u003e page, ensuring analysts see the same essential information.\u003c/p\u003e\n"],["\u003cp\u003eThe \u003cstrong\u003eDefault Case View\u003c/strong\u003e can be customized by dragging and dropping widgets from the left pane into the template on the right.\u003c/p\u003e\n"],["\u003cp\u003eAvailable widgets include \u003cstrong\u003eCustom Fields Form\u003c/strong\u003e, \u003cstrong\u003eAlerts\u003c/strong\u003e, \u003cstrong\u003eCase Description\u003c/strong\u003e, \u003cstrong\u003eEntities Highlights\u003c/strong\u003e, \u003cstrong\u003eLatest Case Wall Activity\u003c/strong\u003e, \u003cstrong\u003ePending Actions\u003c/strong\u003e, \u003cstrong\u003eRecommendations\u003c/strong\u003e, \u003cstrong\u003eStatistics\u003c/strong\u003e, \u003cstrong\u003eHTML\u003c/strong\u003e, \u003cstrong\u003eKey Value\u003c/strong\u003e, \u003cstrong\u003eFree Text\u003c/strong\u003e, \u003cstrong\u003eEntities Graph\u003c/strong\u003e, \u003cstrong\u003eInsights\u003c/strong\u003e, and \u003cstrong\u003eGemini Summary\u003c/strong\u003e.\u003c/p\u003e\n"],["\u003cp\u003eWidgets can be edited to adjust the title, tooltip, and width, and some widgets offer additional fields for configuration.\u003c/p\u003e\n"],["\u003cp\u003eThe Default Case View allows the analysts to act on the same information at a glance when reviewing the case, after the administrator has configured it.\u003c/p\u003e\n"]]],[],null,["# Configure the default case view\n===============================\n\nSupported in: \nGoogle secops [SOAR](/chronicle/docs/secops/google-secops-soar-toc) \n\nThis document explains how administrators can configure a unified default view\nfor all cases shown on the **Cases** page. This unified view helps analysts\nquickly assess and act on the most critical case information.\n\n\nTo define a default view, do the following:\n\n- Go to **Settings \\\u003e Case Data \\\u003e Views \\\u003e Default Case View**\n.\n\nAccess the Default Case View\n----------------------------\n\nThe **Default Case View** editor displays a set of system widgets---some of\nwhich are provided by Google Security Operations Marketplace integrations---and a\nlayout template where you can place them. Use the editor to build a case overview\nthat meets your organization's needs.\n\n### Customize your view layout\n\nYou can customize the layout by dragging widgets from the side pane into the\nlayout area. Available widgets include the following:\n\n- **Custom Fields Form** : displays any custom fields you've defined. Analysts can use this section to enter structured case data. Learn how to [create custom fields](/chronicle/docs/soar/investigate/working-with-cases/adding-custom-fields).\n- **Alerts**: displays alert-level information for all alerts grouped into the case, including alert name, number of events, and priority.\n- **Case Description**: A free-text field for analysts to enter notes or context about the case.\n- **Entities Highlights**: displays highlighted fields for each entity associated with the case.\n- **Latest Case Wall Activity**: displays recent activities posted to the case wall within a configurable time window.\n- **Pending Actions**: Lists all playbook actions that require analyst input to keep the playbook running.\n- **Recommendations**: Displays similar cases and suggests analysts and tags to assign to the case.\n- **Statistics**: Displays the distribution of selected entity fields.\n- **HTML**: Supports HTML code to create insights and inject relevant information from playbook results. Gives the option to return safe code without potentially malicious JavaScript.\n- **Key Value**: Displays a single key-value pair, such as \\`Key: Product\\`, \\`Value: \\[Alert.Product\\]\\`.\n- **Free Text**: Lets you display static free-text content in the case overview.\n- **Entities Graph**: Displays a visual graph and details of the case entities.\n- **Insights:** Shows insights from playbooks, general logic, or manual analyst input in HTML format.\n- **Quick Actions** : Displays action buttons that let analysts run predefined actions on cases directly from the case overview. For more information, see [Create a Quick Action](/chronicle/docs/soar/investigate/working-with-cases/quick-actions).\n- **Gemini Summary**: Provides an AI-generated case summary and remediation suggestions.\n- **Composite Detections** : Available for users of both Google SecOps SIEM and SOAR. This widget helps analysts understand the components of alerts within a case. For [composite alerts](/chronicle/docs/detection/rule-chaining) (from chained rules), this widget shows:\n - Contributing detections\n - Alert lineage\n - Associated UDM events\n- For single alerts, it displays only their specific UDM events. This helps analysts understand alert structure and root cause.\n\n### Add widgets\n\nTo add widgets to the layout, do the following:\n\n1. Drag a widget from the pane to the template on the right.\n2. You can rearrange the widgets as needed, to create your preferred layout.\n\n### Edit widgets\n\nTo configure or update a widget:\n\n1. Click settings **Configuration**. Some widgets offer additional fields for configuration. For example, in the latest wall activity, you can specify the timeframe and activity types.\n2. On the **Cases** page, update the widget title, tooltip, or width (50% or 100%), as needed.\n3. Click **Save**.\n\n**Need more help?** [Get answers from Community members and Google SecOps professionals.](https://security.googlecloudcommunity.com/google-security-operations-2)"]]
