Skip to main content
Question

[Google SecOps SOAR] Automatically escalate severity when same entity has 3+ alerts within a time window — best approach?

  • April 23, 2026
  • 4 replies
  • 25 views
MikelSA
Forum|alt.badge.img+8

Use case

We want to implement a mechanism in Google SecOps (Chronicle SOAR) where, if the same entity (user, IP, or host) accumulates 3 or more alerts within a given time window (e.g. last 24h), the severity is automatically escalated to High — regardless of whether the individual alerts came from Chronicle SIEM, Cortex XDR, Microsoft Defender, or Entra ID.

The individual alerts may be Low or Medium on their own, but the accumulation pattern signals a higher risk that warrants immediate attention.

Question

What is the recommended approach to achieve this in Google SecOps?

We are evaluating:

  • SOAR Playbook that counts open alerts per entity and escalates if threshold is met
  • Risk Score Analytics — does this support alerts from third-party connectors (Cortex, Defender) or only Chronicle detections?
  • Any native alert grouping or correlation feature in the SOAR that already handles this out of the box

What has worked for others in production? Any pitfalls to be aware of?

Thanks!

    4 replies

    AymanC
    Forum|alt.badge.img+14
    • AymanCBronze 5
    • Bronze 5
    • April 23, 2026

    Hi ​@MikelSA,

     

    We’ve achieved something similar within a playbook, using the endpoint (swagger will contain schema, request type and example output) /api/external/v1/search/CaseSearchEverything, and parse it something like Entity:{VALUE}, as part of the payload you can chose the start time, endtime, timeRangeFilter and will return the different case(s) that contain the entity you’re searching for.

    You’d probably want to initially use (within the playbook) after entity creation (via alert ontology, or through actions) a pre-built action ‘Get Case Data’, which outputs within the case the entities, you can then use a loop to loop through these with the above endpoint. And change the severity accordingly

    https://docs.cloud.google.com/chronicle/docs/soar/marketplace/power-ups/tools#get-case-data
    https://docs.cloud.google.com/chronicle/docs/soar/marketplace-integrations/siemplify#change_priority

     

    Kind Regards,

    Ayman

      cmorris
      Staff
      Forum|alt.badge.img+12
      • cmorris
      • Staff
      • April 23, 2026

      A Composite Detection matching on the entity could be an option, but would only focus on SIEM alerts vs 3P via connector - 

      Risk Analytics would work as well.

      For the SOAR playbook method - are you using alert grouping by entity and then a count of alerts to escalate in the playbook?

      MikelSA
      Forum|alt.badge.img+8
      • MikelSABronze 2
      • Author
      • Bronze 2
      • April 23, 2026

      A Composite Detection matching on the entity could be an option, but would only focus on SIEM alerts vs 3P via connector - 

      Risk Analytics would work as well.

      For the SOAR playbook method - are you using alert grouping by entity and then a count of alerts to escalate in the playbook?

      Yes, I am, but for example entra ID alerts sometimes they are like 20 alerts per case, so instead of searching alerts, i would like to search by cases

      MikelSA
      Forum|alt.badge.img+8
      • MikelSABronze 2
      • Author
      • Bronze 2
      • April 23, 2026

      Hi ​@MikelSA,

       

      We’ve achieved something similar within a playbook, using the endpoint (swagger will contain schema, request type and example output) /api/external/v1/search/CaseSearchEverything, and parse it something like Entity:{VALUE}, as part of the payload you can chose the start time, endtime, timeRangeFilter and will return the different case(s) that contain the entity you’re searching for.

      You’d probably want to initially use (within the playbook) after entity creation (via alert ontology, or through actions) a pre-built action ‘Get Case Data’, which outputs within the case the entities, you can then use a loop to loop through these with the above endpoint. And change the severity accordingly

      https://docs.cloud.google.com/chronicle/docs/soar/marketplace/power-ups/tools#get-case-data
      https://docs.cloud.google.com/chronicle/docs/soar/marketplace-integrations/siemplify#change_priority

       

      Kind Regards,

      Ayman

      Oh thank you so much for the explanation, I will look into it

      Terms & ConditionsCookie settingsAccessibility statement
      Privacy Policy Terms of Service Gen AI Policy Community Guidelines Cookie Settings

      © 2025 Google. All rights reserved.