Review case-level data in the Overview tab
Supported in:
When you open a case that contains multiple alerts, you're redirected to the Case Overview tab. This tab provides an overview of all case-related information.
Depending on your widget configuration, you may find the following widgets in the Case Overview tab:
- Custom Fields Form: Fill in values for custom fields defined for the case. Click Edit to open the form.
- Pending Actions: Displays actions that require your input to keep the playbook running.
- Case description: Add or view a summary of the case.
- Alerts: Lists alerts grouped in the case, including their names, event counts, and priority.
- Insights: Displays insights generated by playbook actions, general analysis, or manual inputs in HTML format.
- Entities highlights: Displays the entities associated with the case, as follows
- Click an entity to open the Entity Explorer and view the details.
- Click View More to open a side drawer with the entity details. This can help when you want to view the details before taking an action.
- Use this view to launch a manual action directly on the entity.
- Latest case wall activity: Displays a timeline of case wall activity for a selected period.
- Recommendations: Suggests similar cases, recommended analysts, and relevant tags. You can compare related cases with the current one.
- Statistics: Shows distribution graphs for selected entity fields.
- Entities graph: Displays a visual graph of case entities. Click any entity to view details in the side drawer.
- HTML: Renders HTML content from playbook results. Optionally, restricts JavaScript to show only safe code.
-
Key value:Displays key-value pairs extracted from alerts or entities (for example,
Key: Product
,Value: [Alert.Product]
). - Free text: Displays unstructured information defined by your administrator.
- Gemini Summary: Shows an AI-generated summary with recommendations for remediation.
- Quick Actions: A widget lets you run predefined actions directly from the case Overview tab.
- Composite Detections: Available only to Google SecOps customers who use both SIEM and SOAR. This widget helps you understand the components of alerts within a case.
- For composite alerts (from chained rules), it shows contributing detections, alerts, and their associated Unified Data Model (UDM) events.
- For non-composite alerts, it displays UDM events associated with that alert.
Need more help? Get answers from Community members and Google SecOps professionals.