Define the default alert view
This document describes how an administrator can define the default alert overview shown on the Cases page. The system displays this default view in one of the following two situations:
- The alert lacks an attached playbook.
- The alert has an attached playbook with customized views per role, but no specific view exists for the user's role. For more information about customized alert views, see Define customized alert views from playbook designer.
To define a default view, go to SOAR Settings > Case Data > Views > Default Alert View.
Define widgets in the default alert view
The Default Alert View pages displays a list of general widgets and a set of predefined widgets from the Response Integrations. You can customize the view by dragging the widgets into the side template. The default widgets include:
- Custom Fields Form: Displays custom fields for the analyst to complete with additional information about the alert. Learn how to create custom fields.
- Entities Highlights: Displays the highlighted fields for each entity involved in the alert. There are two ways to highlight a field:
- On the Explore page, choose the entity, select a field, and click Add to highlight. The entity field displays in the widget.
- Go to SOAR Settings > Data Configuration > Properties Metadata, select a field, and mark it as highlighted. If the field is part of the entity, it appears in the widget.
- Events Table: Displays all alert events and their properties. Choose up to six fields to display in the table. Click the brackets next to each row to reorder the rows and customize default placeholders. You can also add multiple placeholders in every row. In the actual display, click any of the table rows to open a side drawer with detailed event information.
-
HTML: Lets you use HTML code to create insights and inject
relevant alert information through placeholders.
- Free Text: Lets you add free text to display in the alert and playbook.
- Key Value: Lets you choose specific details from various sources and display them in view. For example: Key – Product Value – [Alert.Product].
- Entities Graph: Visually represents the relationship between the entities, identical to the display you see in the Explore page.
- Insights: Contains all insights from the playbook insights actions, general insights, and other added insights, presented in HTML format.
- Pending Actions: Lists all playbook actions pending user input, letting the analyst identify tasks required to keep the playbook running.
- Quick Actions: Displays action buttons that let analysts execute predefined actions directly from the alert overview. For more information, see Take actions on a case.
- Composite Detections: Available only to Google SecOps customers who use both SIEM and SOAR. This widget helps analysts understand the alert components within a case. For composite alerts (generated by chained rules), the widget displays contributing detections alerts, and Unified Data Model (UDM) events. For single, non-composite alerts, it shows the specific UDM events associated with that alert. This information lets analysts examine the alert's structure and its root cases.
Add widgets
To add a widget to the default alert view, follow these steps:
- Go to SOAR Settings > Case Data > Views > Default Alert View
- Drag a widget into the template.
- Rearrange the widgets at any time to achieve the view you want.
Edit widgets
- Click settings Configuration in the widget being edited.
- Edit the title, description (the tooltip), and the width (50% or 100%).
- Click Save.
Need more help? Get answers from Community members and Google SecOps professionals.