The administrator can define a default overview for alerts, which is
displayed on the Cases page in one of the following situations:
The alert doesn't have an attached playbook.
The alert has an attached playbook with customized views per role, but
there's no defined view for the user's role. For more information about
customized alert views, see
Define customized alert views from playbook designer.
To define a default view, go to SOAR Settings > Case Data > Views > Default Alert View.
Define widgets on the default alert view
The Default Alert View displays a list of general widgets as well as a
set of predefined widgets coming from the marketplace integrations. You can
customize the view by dragging the widgets from the left pane into the template
on the right. The default widgets include:
Custom Fields Form: Displays custom fields for the analyst
to complete with additional information about the alert. Learn how to
create custom fields.
Entities Highlights: Displays the highlighted fields for
each entity involved in the alert. There are two ways to highlight a field:
From the Explore page, choose the entity, select a field, and
click Add to highlight. The entity field displays in the widget.
Go to SOAR Settings > Data Configuration > Properties Metadata,
select a field, and mark as highlighted. If the field is part of the
entity, it displays in the widget.
Events Table: Displays all alert events and their
properties. Choose up to six fields to display in the table. You can
reorder the table rows and customize default placeholders by clicking the
brackets to the right of the row. You can also add multiple placeholders
in every row. In the actual display, you can click any of the table rows to
open a side drawer that contains more events details.
HTML: Lets you use HTML code to create insights and inject
relevant alert information through placeholders.
You can choose to return safe code without including potentially harmful
JavaScript. When using the Video or Layout 6 presets in the
HTML widget, some video sites like YouTube and files.fm aren't supported.
You can use Sendspark instead.
Free Text: Lets you add free text to display in the alert
and playbook.
Key Value: Lets you choose specific details that come from
various sources and display them in view. For example: Key – Product Value –
[Alert.Product]
Entities Graph: visually represents the relationship
between the entities, identical to the display you see in the Explore
page.
Insights: Contains all insights from the playbook insights
actions, general insights, and other added insights, presented in HTML
format.
Pending Actions: Lists all playbook actions pending
user input, letting the analyst to quickly identify tasks needed to keep the
playbook running.
Quick Actions: Displays action buttons that let analysts
execute predefined actions directly from the alert overview. For
more information, see Create a Quick Action.
Composite Detections: Available only to
Google SecOps customers who use both SIEM and SOAR. This widget
helps analysts understand the components of alerts within a case. For
composite alerts (generated by
chained rules), the
widget displays the contributing detections and alerts, along with their
detailed UDM events. For single, non-composite alerts, it shows the specific
UDM events associated with that alert. This lets analysts examine the
structure of an alert and its causes.
The screen comes with a default set of widgets designed for maximum value, but
you can add, remove, or edit them as needed. The default widgets include:
Alert Details: displays basic details of the alert, such as
the alert name, device product, alert severity, and risk score.
Pending Actions
Entities Highlights
Events
Insights
Add widgets
Drag a widget from the left side of the screen into the template on the right.
You can rearrange the widgets at any time to achieve the view that you want.
Edit widgets
Click
settings
Configuration in the widget being edited.
Edit the title, description (the tooltip), and the width
(50% or 100%).
[[["Easy to understand","easyToUnderstand","thumb-up"],["Solved my problem","solvedMyProblem","thumb-up"],["Other","otherUp","thumb-up"]],[["Hard to understand","hardToUnderstand","thumb-down"],["Incorrect information or sample code","incorrectInformationOrSampleCode","thumb-down"],["Missing the information/samples I need","missingTheInformationSamplesINeed","thumb-down"],["Other","otherDown","thumb-down"]],["Last updated 2025-09-07 UTC."],[[["\u003cp\u003eAdministrators can define a default alert view in Google SecOps SOAR, which appears on the Cases page for alerts without attached playbooks or when a user lacks a role-specific view.\u003c/p\u003e\n"],["\u003cp\u003eThe default alert view includes a variety of widgets, such as Custom Fields Form, Entities Highlights, Events Table, HTML, Free Text, Key Value, Entities Graph, Insights, and Pending Actions, that provide information and context about the alert.\u003c/p\u003e\n"],["\u003cp\u003eUsers can customize the default alert view by dragging and dropping widgets into the template and rearranging them as needed, offering control over the information presented.\u003c/p\u003e\n"],["\u003cp\u003eWidgets can be edited to change their titles, descriptions, and widths, with some offering additional configuration fields to display specific details about the alert.\u003c/p\u003e\n"],["\u003cp\u003eThe default alert view has predefined widgets from the marketplace, and a variety of default widgets that can be added, removed and moved around as needed.\u003c/p\u003e\n"]]],[],null,["# Define default alert view (Admin)\n=================================\n\nSupported in: \nGoogle secops [SOAR](/chronicle/docs/secops/google-secops-soar-toc) \n\nThe administrator can define a default overview for alerts, which is\ndisplayed on the **Cases** page in one of the following situations:\n\n- The alert doesn't have an attached playbook.\n- The alert has an attached playbook with customized views per role, but there's no defined view for the user's role. For more information about customized alert views, see [Define customized alert views from playbook designer](/chronicle/docs/soar/respond/working-with-playbooks/define-customized-alert-views-from-playbook-designer).\n\nTo define a default view, go to **SOAR Settings \\\u003e Case Data \\\u003e Views \\\u003e Default Alert View**.\n\nDefine widgets on the default alert view\n----------------------------------------\n\nThe **Default Alert View** displays a list of general widgets as well as a\nset of predefined widgets coming from the marketplace integrations. You can\ncustomize the view by dragging the widgets from the left pane into the template\non the right. The default widgets include:\n\n- **Custom Fields Form** : Displays custom fields for the analyst to complete with additional information about the alert. Learn how to [create custom fields](/chronicle/docs/soar/investigate/working-with-cases/adding-custom-fields).\n- **Entities Highlights**: Displays the highlighted fields for each entity involved in the alert. There are two ways to highlight a field:\n - From the **Explore** page, choose the entity, select a field, and click **Add to highlight**. The entity field displays in the widget.\n - Go to **SOAR Settings \\\u003e Data Configuration \\\u003e Properties Metadata**, select a field, and mark as highlighted. If the field is part of the entity, it displays in the widget.\n- **Events Table**: Displays all alert events and their properties. Choose up to six fields to display in the table. You can reorder the table rows and customize default placeholders by clicking the brackets to the right of the row. You can also add multiple placeholders in every row. In the actual display, you can click any of the table rows to open a side drawer that contains more events details.\n- **HTML** : Lets you use HTML code to create insights and inject relevant alert information through placeholders. \n You can choose to return safe code without including potentially harmful JavaScript. When using the **Video** or **Layout 6** presets in the HTML widget, some video sites like YouTube and files.fm aren't supported. You can use Sendspark instead.\n- **Free Text**: Lets you add free text to display in the alert and playbook.\n- **Key Value**: Lets you choose specific details that come from various sources and display them in view. For example: Key -- Product Value -- \\[Alert.Product\\]\n- **Entities Graph** : visually represents the relationship between the entities, identical to the display you see in the **Explore** page.\n- **Insights**: Contains all insights from the playbook insights actions, general insights, and other added insights, presented in HTML format.\n- **Pending Actions**: Lists all playbook actions pending user input, letting the analyst to quickly identify tasks needed to keep the playbook running.\n- **Quick Actions** : Displays action buttons that let analysts execute predefined actions directly from the alert overview. For more information, see [Create a Quick Action](/chronicle/docs/soar/investigate/working-with-cases/quick-actions).\n- **Composite Detections** : Available only to Google SecOps customers who use both SIEM and SOAR. This widget helps analysts understand the components of alerts within a case. For composite alerts (generated by [chained rules](/chronicle/docs/detection/rule-chaining)), the widget displays the contributing detections and alerts, along with their detailed UDM events. For single, non-composite alerts, it shows the specific UDM events associated with that alert. This lets analysts examine the structure of an alert and its causes.\n\n\nThe screen comes with a default set of widgets designed for maximum value, but\nyou can add, remove, or edit them as needed. The default widgets include:\n\n- **Alert Details**: displays basic details of the alert, such as the alert name, device product, alert severity, and risk score.\n- **Pending Actions**\n- **Entities Highlights**\n- **Events**\n- **Insights**\n\nAdd widgets\n-----------\n\n1. Drag a widget from the left side of the screen into the template on the right.\n2. You can rearrange the widgets at any time to achieve the view that you want.\n\nEdit widgets\n------------\n\n1. Click settings **Configuration** in the widget being edited.\n2. Edit the title, description (the tooltip), and the width (50% or 100%). **Note:** Some widgets offer additional fields to configure. For example, in the **Alert Details**, you can include various keys and values to provide more information about the alert.\n3. Click **Save**.\n\n**Need more help?** [Get answers from Community members and Google SecOps professionals.](https://security.googlecloudcommunity.com/google-security-operations-2)"]]
