Review case-level data in the Overview tab

Supported in:

When you open a case that contains multiple alerts, you're redirected to the Case Overview tab. This tab provides an overview of all case-related information.

Depending on your widget configuration, you may find the following widgets in the Case Overview tab:

  • Custom Fields Form: Fill in values for custom fields defined for the case. Click Edit to open the form.
  • Pending Actions: Displays actions that require your input to keep the playbook running.
  • Case description: Add or view a summary of the case.
  • Alerts: Lists alerts grouped in the case, including their names, event counts, and priority.
  • Insights: Displays insights generated by playbook actions, general analysis, or manual inputs in HTML format.
  • Entities highlights: Displays the entities associated with the case, as follows
    • Click an entity to open the Entity Explorer and view the details.
    • Click View More to open a side drawer with the entity details. This can help when you want to view the details before taking an action.
    • Use this view to launch a manual action directly on the entity.
  • Latest case wall activity: Displays a timeline of case wall activity for a selected period.
  • Recommendations: Suggests similar cases, recommended analysts, and relevant tags. You can compare related cases with the current one.
  • Statistics: Shows distribution graphs for selected entity fields.
  • Entities graph: Displays a visual graph of case entities. Click any entity to view details in the side drawer.
  • HTML: Renders HTML content from playbook results. Optionally, restricts JavaScript to show only safe code.
  • Key value:Displays key-value pairs extracted from alerts or entities (for example, Key: Product, Value: [Alert.Product]).
  • Free text: Displays unstructured information defined by your administrator.
  • Gemini Summary: Shows an AI-generated summary with recommendations for remediation.
  • Quick Actions: A widget lets you run predefined actions directly from the case Overview tab.
  • Composite Detections: Available only to Google SecOps customers who use both SIEM and SOAR. This widget helps you understand the components of alerts within a case.
    • For composite alerts (from chained rules), it shows contributing detections, alerts, and their associated Unified Data Model (UDM) events.
    • For non-composite alerts, it displays UDM events associated with that alert.

Need more help? Get answers from Community members and Google SecOps professionals.