Skip to main content
Solved

Error "SOAR data source not supported" when querying Cases and Alerts in Native Dashboard

  • May 26, 2025
  • 4 replies
  • 166 views
phlucas
Forum|alt.badge.img

Hi everyone,

I'm trying to run queries in the Google SecOps (Chronicle) Native Dashboard using SOAR-related data sources such as Cases, Alerts, Playbooks, and Case History, following the official documentation:

However, when running queries like the one below, I get the following error:

Query

match: case.status outcome: $count=count(case.name)

 

Error

{ "error": { "code": 400, "message": "generic::invalid_argument: SOAR data source not supported: invalid argument", "status": "INVALID_ARGUMENT", "details": [ { "@type": "type.googleapis.com/google.rpc.ErrorInfo", "domain": "chronicle.googleapis.com" } ] } }

I've verified that I'm using the documented data sources and fields correctly.


Is there any prerequisite to enable SOAR data sources in the Native Dashboard? Or is this feature not yet generally available?

Any insights would be appreciated.
Thanks in advance!

Best answer by _K_O

SOAR data sources aren't available yet - I had the exact same issue a few weeks ago and was asked to speak to our TAM to get access to it once it hits private preview. 

Reach out to your account manager and ask to be added once it becomes available. 

4 replies

_K_O
Forum|alt.badge.img+12
  • _K_OBronze 5
  • Bronze 5
  • Answer
  • May 27, 2025

SOAR data sources aren't available yet - I had the exact same issue a few weeks ago and was asked to speak to our TAM to get access to it once it hits private preview. 

Reach out to your account manager and ask to be added once it becomes available. 

phlucas
babu_k
Staff
Forum|alt.badge.img
  • babu_k
  • Staff
  • August 8, 2025

i too have the same issue need to work on dashboard for a client build on cases, status, pending time etc to track SLAs. when can we expect this ? 

SoarAndy
Staff
Forum|alt.badge.img+12
  • SoarAndy
  • Staff
  • August 11, 2025

@babu_k ​@phlucas 

This should be out now (for customers on SecOps, for older standalone deployments check your support team)

https://cloud.google.com/chronicle/docs/reports/native-dashboards

 

SOAR data reference
https://cloud.google.com/chronicle/docs/reference/soar-data-dashboard#playbook-run-status-enum

 

You should also have access to the Content Hub that has at some prebuilt content in

https://cloud.google.com/chronicle/docs/secops/content_hub

Two quick examples:

$playbookDisplayName = playbook.display_name
$playbookStartTime = timestamp.get_date(playbook.start_time.seconds)
playbook.metadata.type="REGULAR" // NESTED = Blocks

match:
    $playbookDisplayName, $playbookStartTime
outcome:
    $total = count($playbookDisplayName)
case.response_platform_info.response_platform_id = $id
case.display_name = $name

case.tags.name = $tags

$tags = /^APT[0-9]/

timestamp.get_date(case.create_time.seconds) = $created

match:  
  $name, $created, $id, $tags

order:
  $created desc

 

babu_k
kpmarquez_10
Forum|alt.badge.img+2
  • kpmarquez_10Bronze 1
  • Bronze 1
  • August 18, 2025

@babu_k ​@phlucas 

This should be out now (for customers on SecOps, for older standalone deployments check your support team)

https://cloud.google.com/chronicle/docs/reports/native-dashboards

 

SOAR data reference
https://cloud.google.com/chronicle/docs/reference/soar-data-dashboard#playbook-run-status-enum

 

You should also have access to the Content Hub that has at some prebuilt content in

https://cloud.google.com/chronicle/docs/secops/content_hub

Two quick examples:

$playbookDisplayName = playbook.display_name
$playbookStartTime = timestamp.get_date(playbook.start_time.seconds)
playbook.metadata.type="REGULAR" // NESTED = Blocks

match:
    $playbookDisplayName, $playbookStartTime
outcome:
    $total = count($playbookDisplayName)
case.response_platform_info.response_platform_id = $id
case.display_name = $name

case.tags.name = $tags

$tags = /^APT[0-9]/

timestamp.get_date(case.create_time.seconds) = $created

match:  
  $name, $created, $id, $tags

order:
  $created desc

 

 

Terms & ConditionsCookie settingsAccessibility statement
Privacy Policy Terms of Service Gen AI Policy Community Guidelines Cookie Settings

© 2025 Google. All rights reserved.