Hi everyone,
I’m working with Google SecOps / Chronicle SOAR SOAR Reports (Legacy) and I’m trying to build a detailed monthly report of closed cases for a customer.
What I’m trying to achieve:
A report that lists every case closed during a specific month (case by case), and for each case includes details such as:
-
Who did what and when (assignment changes, stage/status changes, closure actions, etc.) an audit style trail
-
Investigation context pulled from the case/alerts, e.g. IP addresses (src/dst), users, hostnames, entities/IOCs
-
Ideally exportable as PDF/Word, or at least a structured table/CSV.
What I tried so far:
In SOAR Reports (Legacy) I can add widgets like Table / Pie / Bar, but they seem to be mostly aggregations (counts by axes/filters) rather than a true case by case detailed listing with the fields above. I couldn’t find a built in way to generate a detailed “one row per case” report including audit trail + IPs/entities.
Rationale / why this matters:
The customer wants a monthly report that provides transparency and auditability for SOC operations:
which incidents were handled and closed during the month, what actions were taken per case, who handled them, and which indicators/entities (IPs, users, hosts) were involved. This supports operational reporting, SLA tracking, and governance/compliance needs.
My questions to the community:
-
Is there a supported way in SOAR Reports (Legacy) to generate a case by case detailed report including “who did what” and IPs/entities?
-
If Legacy Reports can’t do this, what’s the recommended approach SOAR Search → Export CSV, Advanced Reports/Looker, or reporting based on CaseHistory / audit logs?
-
If there’s an official/best practice method to report the audit trail (“who did what”) per case, I’d appreciate guidance or examples.
Thanks in advance!