Define customized alert views from playbook designer

Supported in:

The security engineer can create bespoke alert views on each playbook for specific SOC roles. This ensures that each SOC role user will see information specific to their needs in the alerts Overview tab in the Cases page. 

The advantage of creating customized alert views is that you can decide in advance what type of information you want to display to different roles. For example, if you have a collaborator user and you have created a SOC role for them called Premium Customer Role, you can then build a view for them which contains just the information that is suitable for their role and thereby not compromise on your organization's security.  

The views are created in the playbook designer and are composed of various widgets which you can drag, drop and edit to create the required view based on the playbook results. For a detailed description of all the widgets, refer to Default alert view.

If you don't define a view for a specific SOC role, users with this role will see the default alert view instead. 

The customized alert view configuration within the playbook designer may include the following widgets:
  • JSON results: View a JSON result in the system.
  • Entity Highlights: View entities associated with the alert.
    • If you're a Google SecOps customer, click Explore to be redirected to the alert Asset page to perform more actions. The page you land on depends on the type of entity. For more information, see Investigation views.
    • If you need more detailed information before taking action, click the entity to go to the Entity Explorer page and view its full details.
    • To have a quick look prior to taking action, click View Details and a side drawer opens with the entity's highlights.
    • To run a specific action on an entity, you can click settings and create a manual action from here.
  • Events Table: View all alert events and their properties. Click any of the table rows to open a side drawer to see events details.
  • HTML: View the HTML code that contains relevant information from the playbook results.
  • Free Text: View Admin-defined information.
  • Key Value: View specific details from various sources and display them in the view. For example: Key- Product Value- [Alert.Product]
  • Entities Graph: View a visual graph and other case entity details. Click an entity and a side drawer opens.
  • Insights: This widget contains all the Insights from the Playbook insights actions, general insights and any other insights you have added. They will be presented in HTML format.
  • Pending Actions: Quickly view all actions awaiting your input to keep the playbook running.
  • Quick Actions: This widget provides analysts with immediate access to relevant actions directly within the alert context. For detailed instructions on configuring Quick Actions, including defining actions and parameters, see Create a Quick Action.

Example of customized alert view 

Start by looking at an alert Overview tab.

customized alert overview.

Now, the steps taken to build that customized view will be reviewed. In the following procedure, you are going to build a customized alert view on a Phishing email for a Tier One role.

To add a customized alert view:
  1. In the Playbooks page, navigate to the Phishing Email playbook and click Add View in the top right corner.
  2. Enter an appropriate template name and choose the required role, and then click Add. In this case, Tier One.
  3. You create your customized view by selecting from the following widgets. Drag them into the view and then configure them according to your requirements.
  4. Based on the Phishing Email playbook, you know there is at least one pending action for the SOC Role, so start by adding a Pending Actions widget.
  5. Next, add in two Free Text widgets. One is displayed if there is an approval action. This contains the Placeholder:
    [Case Outcome - Block approved .ScriptResult]
    The other widget will be displayed if the outcome is not approved. [Case Outcome - Block not approved .ScriptResult]
  6. Next, add another Free Text widget and call it Attack Details - Mitre. This contains the placeholder - [Mitre Attack Details.ScriptResult]
  7. Next, add Entities Highlights widget.
  8. Next, add a JSON widget, and add the placeholder [Exchange_Search Mails_1.JsonResult]
  9. Finally, add the HTML widget. 
  10. Once the appropriate alert has been ingested into the system and the playbook has run, the Tier One role user can enter the platform and see the alert Overview with the playbook results.

Need more help? Get answers from Community members and Google SecOps professionals.