What actions can you take on a case?

Supported in:

Mark as important

When an analyst wants to highlight a case, they can mark it as important. The analyst can also remove the Important tag if required from the same menu.

To mark a case as important:

  1. Click format_list_bulleted Case Actions in the top right corner of the page and select Mark as important.
  2. A yellow triangle icon is then displayed with the case.

Incident

When a case is considered extremely crucial and needs immediate attention, the analyst can mark it as an incident. Raising an incident sets the case priority to critical, changes the case stage to Incident, assigns the case to the SOC Manager and a notification is sent to all analysts. 

To mark a case that is assigned to you as an Incident:

  1. Click format_list_bulleted Case Actions in the top right corner of the page and select Incident.
  2. Click Yes in the Confirmation dialog box.

Stage

You can change a case stage, if it's assigned to you, based on your organizational case management methods. 

To change a case stage:

  1. Select a case from the queue.
  2. Click format_list_bulleted Case Actions in the top right corner of the page and select Stage.
  3. Select a stage from the following:
    • Triage: Default and the initial phase of a case once it is created.
    • Assessment: The case is assigned to the next tier for assessment.
    • Investigation: The case is assigned for further investigation of the alerts and entities involved. 
    • Improvement: Can mark case as Improvement as a reminder to improve SOC rules or for further investigation after the analysts have finished handling it. 
    • Research: The case is further researched for factors such as how the external entities got into your organization and so on.
    • Incident: The last phase of the case where it becomes crucial. After marking a case as an incident, you cannot revert/change it to any other stage.
  4. Click Save.

Priority

Google recommends changing the priority of an alert and not the priority of a case as best practice.
For more information, see Changing Alert Priority Instead of Case Priority.

To change the priority of a case:

  1. Select a case from the queue.
  2. Click format_list_bulleted Case Actions in the top right corner of the page and select Priority.
  3. Select a priority from the following. Note that each priority is represented by the following colors:
    • Informative (grey)
    • Low (blue)
    • Medium (yellow)
    • High (orange)
    • Critical (red)
  4. Click OK. The case priority is changed.
  5. You can also click the color directly on left side of the top bar and change it from there.
prioritycolor

Report

You can download a report as a .doc, .xlsx, or a .csv file which contains the following information:

  • Case details
  • Alerts, entities and insights of the case
  • User and system activities on the case
  • Playbook action and Case Activity
  • All information included in the case wall

To download a report:

  1. Select a case from the queue.
  2. Click format_list_bulleted Case Actions in the top right corner of the page and select Report.
  3. Select the file type from the menu, and then click Select.
  4. Open the downloaded document to see the results.

Need more help? Get answers from Community members and Google SecOps professionals.