Define default alert view

Supported in:

Google SecOps SOAR

The administrator can define a default overview for alerts, which is displayed on the Cases page in one of the following situations:

The alert does not have an attached playbook.
The alert has an attached playbook with customized views per role, but there's no defined view for the user's role. For more information about customized alert views, see Define customized alert views from playbook designer.

To define a default view, go to SOAR Settings > Case Data > Views > Default Alert View.

Explore widgets on the default alert view

The Default Alert View displays the following widgets:

Entities Highlights: Displays the highlighted fields for each entity involved in the alert. There are two ways to highlight a field:

From the Explore page, choose the entity, select a field, and click Add to highlight. The entity field displays in the widget.
Go to SOAR Settings > Data Configuration > Properties Metadata, select a field and mark as highlighted. If the field is part of the entity, it displays in the widget.

Events Table: Displays all alert events and their properties. Choose up to six fields to display in the table. You can reorder the table rows and customize default placeholders by clicking the brackets to the right of the row. You can also add multiple placeholders in every row. In the actual display, you can click any of the table rows to open a side drawer that contains more events details.
HTML: Lets you use HTML code to create insights and inject relevant alert information through placeholders.
You can choose to return safe code without including potentially harmful JavaScript.
When using the Video or Layout 6 presets in the HTML widget, some video sites like YouTube and files.fm aren't supported. You can use Sendspark instead.
Free Text: Lets you add free text to display in the alert and playbook.
Key Value: Lets you choose specific bits of information that come from various sources and display them in view. For example: Key – Product Value – [Alert.Product]
Entities Graph: Provides a visual display of the relationship between the entities. It's the same display that you see in the Explore page.
Insights: Contains all the insights from the playbook insights actions, general insights, and other added insights, presented in HTML format.
Pending Actions: Lists all playbook actions pending user input. The analyst can now quickly see what needs to be done for the playbook to keep running.

The screen comes with a default set of widgets designed for maximum value, but you can add, remove, or edit them as needed. The default widgets include:

Alert Details: Displays basic details of the alert, such as the alert name, device product, alert severity, and risk score.
Pending Actions
Entities Highlights
Events
Insights

Add widgets

Drag a widget from the left side of the screen into the template on the right.
You can rearrange the widgets at any time to achieve the view that you want.

Edit widgets

Click settings Configuration in the widget being edited.
Edit the title, description (the tooltip), and the width (50% or 100%).
Note: Some widgets offer additional fields to configure. For example, in the Alert Details, you can include various keys and values to provide more information about the alert.
Click Save.