This document explains how a security engineer can create customized alert
views on each playbook for specific Google SecOps roles. The
customized alert views make sure that each Google SecOps user can
see the alerts tailored to their specific needs.
You create the views in the playbook designer and are composed of various
widgets that you can drag, drop, and edit to create the required view based on
the playbook results. For a detailed description of all widgets, see Default alert view.
By creating customized alert views, you can decide, in
advance, what information you want to display to different roles. For
example, if you have a collaborator user and you created a SecOps
role for that user called Premium Customer Role, you can then build a
view that contains only the information that fits their role without compromising your organization's security.
If you don't define a view for a specific SecOps role, users with that role will see the default alert view.
The customized alert view configuration within the playbook designer may include
the following widgets:
Entity Highlights: View entities associated with the alert.
If you're a Google SecOps customer, click Explore to
be redirected to the alert Asset page to perform more actions. The page
you land on depends on the type of entity. For more information, see
Investigation views.
If you need more detailed information before taking action, click the entity
to go to the Entity Explorer page and view its full details.
To have a quick look prior to taking action, click View Details and a
side drawer opens with the entity's highlights.
To run a specific action on an entity, you can click
settings
and
create a manual action from here.
Events Table: View all alert events and their properties.
Click any of the table rows to open a side drawer to see events details.
HTML: View the HTML code that contains relevant information
from the playbook results.
Free Text: View Admin-defined information.
Key Value: View specific details from various sources and
display them in the view. For example: Key- Product Value- [Alert.Product]
Entities Graph: View a visual graph and other case entity
details. Click an entity and a side drawer opens.
Insights: This widget contains all the Insights from the
Playbook insights actions, general insights and any other insights you have
added. They will be presented in HTML format.
Pending Actions: Quickly view all actions awaiting your
input to keep the playbook running.
Quick Actions: This widget provides analysts with immediate
access to relevant actions directly within the alert context. For detailed
instructions on configuring Quick Actions, including defining actions and
parameters, see Create a Quick Action.
Create a customized alert view
This example shows how to build a customized alert view on
a phishing email for a Tier One role.
To add a customized alert view:
Go to the alert's Overview tab.
On the Playbooks page, go to the Phishing Email playbook and
click Add View.
Enter an appropriate template name, choose the required role, and then
click Add; in this case, Tier One.
Create your customized view by selecting from the following widgets.
Drag the selected widgets into the view and then configure them according to
your requirements.
Add a Pending Actions widget.
Add two Free Text widgets. One is displayed, if
there's an approval action. This contains the following placeholder: [Case Outcome - Block approved .ScriptResult]
The other widget appears if the outcome isn't approved.
[Case Outcome - Block not approved .ScriptResult]
Add another Free Text widget and name it
Attack Details - Mitre. This contains the following placeholder:
[Mitre Attack Details.ScriptResult].
Add the Entities Highlights widget.
Add a JSON widget, and add the following placeholder:
[Exchange_Search Mails_1.JsonResult].
Add the HTML widget.
Once the appropriate alert has been ingested into the system and the
playbook has run, the Tier One role user can enter the platform and see the
alert Overview with the playbook results.
[[["Easy to understand","easyToUnderstand","thumb-up"],["Solved my problem","solvedMyProblem","thumb-up"],["Other","otherUp","thumb-up"]],[["Hard to understand","hardToUnderstand","thumb-down"],["Incorrect information or sample code","incorrectInformationOrSampleCode","thumb-down"],["Missing the information/samples I need","missingTheInformationSamplesINeed","thumb-down"],["Other","otherDown","thumb-down"]],["Last updated 2025-08-29 UTC."],[[["\u003cp\u003eSecurity engineers can create customized alert views within playbooks, tailoring the information displayed to different SOC roles in the Cases page's Overview tab.\u003c/p\u003e\n"],["\u003cp\u003eCustomized alert views allow administrators to predetermine the specific information shown to different roles, ensuring data relevance and maintaining organizational security.\u003c/p\u003e\n"],["\u003cp\u003eViews are built in the playbook designer by using various widgets that can be dragged, dropped, and configured, with the default view being used if a specific view for a role is not created.\u003c/p\u003e\n"],["\u003cp\u003eThe process of adding a customized alert view involves navigating to the desired playbook, selecting "Add View," entering a template name and role, and configuring the layout with widgets, such as Pending Actions, Free Text, Entities Highlights, JSON, and HTML.\u003c/p\u003e\n"],["\u003cp\u003eThe widgets will only display information to the user, if the playbook has generated results.\u003c/p\u003e\n"]]],[],null,["# Define customized alert views from Playbook Designer\n====================================================\n\nSupported in: \nGoogle secops [SOAR](/chronicle/docs/secops/google-secops-soar-toc) \n\nThis document explains how a security engineer can create customized alert\nviews on each playbook for specific Google SecOps roles. The\ncustomized alert views make sure that each Google SecOps user can\nsee the alerts tailored to their specific needs.\n\n\nYou create the views in the playbook designer and are composed of various\nwidgets that you can drag, drop, and edit to create the required view based on\nthe playbook results. For a detailed description of all widgets, see [Default alert view](/chronicle/docs/soar/investigate/working-with-alerts/define-default-\nalert-view-admin).\n| **Note:** If a user is newly assigned to a SOC role, the custom alert view for a playbook may not appear immediately. To resolve this, rerun the playbook to render the view.\n\n\nBy creating customized alert views, you can decide, in\nadvance, what information you want to display to different roles. For\nexample, if you have a collaborator user and you created a SecOps\nrole for that user called *Premium Customer Role*, you can then build a\nview that contains only the information that fits their role without compromising your organization's security.\n\n\nIf you don't define a view for a specific SecOps role, users with that role will see the default alert view.\n| **Note:** A widget won't display for the user if there are no results.\nThe customized alert view configuration within the playbook designer may include the following widgets:\n\n- **JSON results** : View a [JSON](https://en.wikipedia.org/wiki/JSON) result in the system.\n- **Entity Highlights**: View entities associated with the alert.\n - If you're a Google SecOps customer, click **Explore** to be redirected to the alert **Asset** page to perform more actions. The page you land on depends on the type of entity. For more information, see [Investigation views](/chronicle/docs/investigation/investigation-views).\n - If you need more detailed information before taking action, click the entity to go to the **Entity Explorer** page and view its full details.\n - To have a quick look prior to taking action, click **View Details** and a side drawer opens with the entity's highlights.\n - To run a specific action on an entity, you can click settings and create a manual action from here.\n- **Events Table**: View all alert events and their properties. Click any of the table rows to open a side drawer to see events details.\n- **HTML**: View the HTML code that contains relevant information from the playbook results.\n- **Free Text**: View Admin-defined information.\n- **Key Value**: View specific details from various sources and display them in the view. For example: Key- Product Value- \\[Alert.Product\\]\n- **Entities Graph**: View a visual graph and other case entity details. Click an entity and a side drawer opens.\n- **Insights**: This widget contains all the Insights from the Playbook insights actions, general insights and any other insights you have added. They will be presented in HTML format.\n- **Pending Actions**: Quickly view all actions awaiting your input to keep the playbook running.\n- **Quick Actions** : This widget provides analysts with immediate access to relevant actions directly within the alert context. For detailed instructions on configuring Quick Actions, including defining actions and parameters, see [Create a Quick Action](/chronicle/docs/soar/investigate/working-with-cases/quick-actions).\n\nCreate a customized alert view\n------------------------------\n\n\nThis example shows how to build a customized alert view on\na phishing email for a Tier One role.\n**To add a customized alert view:**\n\n1. Go to the alert's **Overview** tab.\n2. On the **Playbooks** page, go to the **Phishing Email** playbook and click **Add View**.\n3. Enter an appropriate template name, choose the required role, and then click **Add** ; in this case, *Tier One*.\n4. Create your customized view by selecting from the following widgets. Drag the selected widgets into the view and then configure them according to your requirements.\n5. Add a **Pending Actions** widget.\n6. Add two **Free Text** widgets. One is displayed, if there's an approval action. This contains the following placeholder: \n `[Case Outcome - Block approved .ScriptResult]` \n The other widget appears if the outcome isn't approved. `[Case Outcome - Block not approved .ScriptResult]`\n7. Add another **Free Text** widget and name it `Attack Details - Mitre`. This contains the following placeholder: `[Mitre Attack Details.ScriptResult]`.\n8. Add the **Entities Highlights** widget.\n9. Add a **JSON** widget, and add the following placeholder: `[Exchange_Search Mails_1.JsonResult]`.\n10. Add the **HTML** widget.\n11. Once the appropriate alert has been ingested into the system and the playbook has run, the Tier One role user can enter the platform and see the alert **Overview** with the playbook results.\n\n**Need more help?** [Get answers from Community members and Google SecOps professionals.](https://security.googlecloudcommunity.com/google-security-operations-2)"]]
