Skip to main content

Hi everyone,

I'm trying to run queries in the Google SecOps (Chronicle) Native Dashboard using SOAR-related data sources such as Cases, Alerts, Playbooks, and Case History, following the official documentation:

However, when running queries like the one below, I get the following error:

Query

match: case.status outcome: $count=count(case.name)

 

Error

{ "error": { "code": 400, "message": "generic::invalid_argument: SOAR data source not supported: invalid argument", "status": "INVALID_ARGUMENT", "details": [ { "@type": "type.googleapis.com/google.rpc.ErrorInfo", "domain": "chronicle.googleapis.com" } ] } }

I've verified that I'm using the documented data sources and fields correctly.


Is there any prerequisite to enable SOAR data sources in the Native Dashboard? Or is this feature not yet generally available?

Any insights would be appreciated.
Thanks in advance!

SOAR data sources aren't available yet - I had the exact same issue a few weeks ago and was asked to speak to our TAM to get access to it once it hits private preview. 

Reach out to your account manager and ask to be added once it becomes available. 

i too have the same issue need to work on dashboard for a client build on cases, status, pending time etc to track SLAs. when can we expect this ? 

@babu_k ​@phlucas 

This should be out now (for customers on SecOps, for older standalone deployments check your support team)

https://cloud.google.com/chronicle/docs/reports/native-dashboards

 

SOAR data reference
https://cloud.google.com/chronicle/docs/reference/soar-data-dashboard#playbook-run-status-enum

 

You should also have access to the Content Hub that has at some prebuilt content in

https://cloud.google.com/chronicle/docs/secops/content_hub

Two quick examples:

$playbookDisplayName = playbook.display_name
$playbookStartTime = timestamp.get_date(playbook.start_time.seconds)
playbook.metadata.type="REGULAR" // NESTED = Blocks

match:
    $playbookDisplayName, $playbookStartTime
outcome:
    $total = count($playbookDisplayName)
case.response_platform_info.response_platform_id = $id
case.display_name = $name

case.tags.name = $tags

$tags = /^APT[0-9]/

timestamp.get_date(case.create_time.seconds) = $created

match:  
  $name, $created, $id, $tags

order:
  $created desc

 

@babu_k ​@phlucas 

This should be out now (for customers on SecOps, for older standalone deployments check your support team)

https://cloud.google.com/chronicle/docs/reports/native-dashboards

 

SOAR data reference
https://cloud.google.com/chronicle/docs/reference/soar-data-dashboard#playbook-run-status-enum

 

You should also have access to the Content Hub that has at some prebuilt content in

https://cloud.google.com/chronicle/docs/secops/content_hub

Two quick examples:

$playbookDisplayName = playbook.display_name
$playbookStartTime = timestamp.get_date(playbook.start_time.seconds)
playbook.metadata.type="REGULAR" // NESTED = Blocks

match:
    $playbookDisplayName, $playbookStartTime
outcome:
    $total = count($playbookDisplayName)
case.response_platform_info.response_platform_id = $id
case.display_name = $name

case.tags.name = $tags

$tags = /^APT[0-9]/

timestamp.get_date(case.create_time.seconds) = $created

match:  
  $name, $created, $id, $tags

order:
  $created desc

 

 

Reply


Terms & ConditionsCookie settings
Privacy Policy Terms of Service Gen AI Policy Community Guidelines Cookie Settings

© 2025 Google. All rights reserved.