Question

How to build SLA dashboards for cases and analysts in Google SecOps?

Forum|Forum|3 months ago
January 14, 2026
6 replies
153 views

agar_s
Bronze 1

Hello,

I’m implementing SLA tracking for Cases in Google SecOps and would like to understand the best practice for building dashboards.

My SLA logic includes:

Time to analyst assignment (unassigned → assigned)
Identification of SLA-breached cases
Visibility at both case level and analyst level

Currently, I don’t see native SLA fields for Cases, so SLA is derived from case metadata (Created Time, Owner, Status).

Questions:

What is the recommended way to build dashboards showing:
- Cases that breached SLA
- SLA compliance per analyst
Are SecOps dashboards expected to rely only on:
- Case filters and saved views?
- Case-based rules and tags?
For analyst-level SLA metrics, is exporting to BigQuery the recommended approach?

Thanks for any guidance or examples.

+12

kentphelps
Community Manager
Forum|Forum|3 months ago
January 27, 2026

Most of the data you would need can be found in SOAR data in Dashboards in the Case History Section.

And you can take a look at @jstoner ‘s great blogs on building dashboards to get ideas on how to put together what you need.

Jsp123
Bronze 2
Forum|Forum|1 month ago
March 19, 2026

How can we include the environment filter with case_history as I needed to calculate the SLA based on SOAR environment for that case.

+12

cmorris
Staff
Forum|Forum|1 month ago
March 19, 2026

How can we include the environment filter with case_history as I needed to calculate the SLA based on SOAR environment for that case.

Joins on case and case_history should be rolling out by the end of the month. At that point, you could try a join with your environment specified like this:

$h.case_history.case_response_platform_info.case_id = $case_id
$c.case.response_platform_info.response_platform_id = $case_id
$c.case.environment = "Default Environment"

Jsp123
Bronze 2
Forum|Forum|1 month ago
March 19, 2026

How can we include the environment filter with case_history as I needed to calculate the SLA based on SOAR environment for that case.

Joins on case and case_history should be rolling out by the end of the month. At that point, you could try a join with your environment specified like this:

$h.case_history.case_response_platform_info.case_id = $case_id
$c.case.response_platform_info.response_platform_id = $case_id
$c.case.environment = "Default Environment"

I needed to calculate the same SLA but for specific environment only , but if i add case.environment it's not getting supported.

stage stage1{
$case_id = case_history.case_response_platform_info.case_id
match:
$case_id
outcome:
$case_assign_time = min(if(case_history.case_activity = "ASSIGNEE_CHANGE", case_history.event_time.seconds, [removed by moderator] ))
$status = array_distinct(case_history.case_activity)
$TTA = $case_assign_time - min(case_history.event_time.seconds)

condition:
arrays.contains($status, "CREATE_CASE") and arrays.contains($status, "ASSIGNEE_CHANGE")
}
outcome:
$case_count = count($stage1.case_id)
$MTTA = avg($stage1.TTA)/60

+12

cmorris
Staff
Forum|Forum|1 month ago
March 19, 2026

Yes, unfortunately you cannot join the case and case_history datasets today, which is why you get that error when you try to add case.environment to your existing query that uses case_history. Support for that join should be coming out the end of this month and then you will be able to.

Jsp123
Bronze 2
Forum|Forum|1 month ago
March 19, 2026

Ok, thanks @cmorris

Sign up

Login with SSO

Login to the community

Login with SSO

Scanning file for viruses.

This file cannot be downloaded