Actions you can take on a case

Supported in:

Mark a case as important

When you want to highlight a case, you can mark it as important. You can also remove the Important tag from the same menu.

To mark a case as important, complete the following steps:

  1. Click format_list_bulleted Case Actions in the top right corner of the page.
  2. Select Mark as important; a yellow triangle icon appears with the case.

Incident

When a case assigned to you is considered extremely crucial and needs immediate attention, you can mark it as an incident. Raising an incident sets the case priority to critical, changes the case stage to Incident, assigns the case to the SOC Manager, and a notification is sent to all analysts. 

To mark a case that is assigned to you as an incident, complete the following steps:

  1. Click format_list_bulleted Case Actions in the top right corner of the page and select Incident.
  2. Click Yes in the Confirmation dialog.

Stage

If you are assigned a case, you can change its stage, in accordance with your organization's case management procedures. 

To change a case stage, complete the following steps:

  1. Select a case from the queue.
  2. Click format_list_bulleted Case Actions in the top right corner of the page and select Stage.
  3. Select a stage from the following:
    • Triage: default and the initial phase of a case once it's created.
    • Assessment: the case is assigned to the next tier for assessment.
    • Investigation: the case is assigned for further investigation of the alerts and entities involved. 
    • Improvement: mark a case as an "Improvement" to remind yourself to refine SOC rules or conduct further investigation after analysts have completed their initial handling. 
    • Research: investigate the case further, including how external entities gained access to your organization.
    • Incident: the last phase of the case where it becomes crucial.  After marking a case as an incident, you can't revert or change it to any other stage.
  4. Click Save.

Priority

As a best practice, Google recommends adjusting the alert priority rather than the case priority.
For more information, see Changing Alert Priority Instead of Case Priority.

To change the priority of a case:

  1. Select the case from the queue.
  2. Click format_list_bulleted Case Actions in the top right corner of the page and select Priority.
  3. Choose a priority level from the following options. Note that each priority is represented by a specific color:
    • Informative (gray)
    • Low (blue)
    • Medium (yellow)
    • High (orange)
    • Critical (red)
  4. Click OK. The case priority is changed.
  5. To change the case bar color, click the color swatch on its left side.
prioritycolor

Report

You can download a report as a .doc, .xlsx, or a .csv file that contains the following information:

  • Case details
  • Alerts, entities and insights of the case
  • User and system activities on the case
  • Playbook action and case activity
  • All information included in the case wall

To download a report, perform the following steps:

  1. Select a case from the queue.
  2. Click format_list_bulleted Case Actions in the top right corner of the page and select Report.
  3. Select the file type from the menu, and then click Select.
  4. Open the downloaded document to see the results.

Need more help? Get answers from Community members and Google SecOps professionals.