Skip to main content
Solved

How to implement SLA for analyst assignment in Google SecOps?

  • January 14, 2026
  • 3 replies
  • 63 views
agar_s
Forum|alt.badge.img+2

Hello,

Iā€™m trying to implement an SLA workflow for Cases in Google SecOps, specifically around analyst assignment and investigation timing, and Iā€™d appreciate guidance on best practices.

From what I can see today, at the system level, Google SecOps provides:

  • Alert Stage

  • Severity

However, there is no native SLA mechanism for:

  • Time to analyst assignment (Owner)

  • Time spent in specific case phases (Triage / Investigation)

SLA logic Iā€™m trying to enforce

My desired SLA flow is:

Ā 

Case created (Unassigned) ā†’ Triage: 30 minutes to assign an analyst ā†’ Assigned ā†’ 15 minutes to move to Investigation ā†’ Investigation ā†’ 1 hour to progress / respond

Ā 

  1. What is the recommended way to implement SLA tracking for:

    • Analyst assignment

  2. Is the expected approach to use:

    • Case-based Rules?

    • Tags / labels?

    • External reporting (e.g., BigQuery)?

  3. Are there any product roadmap plans for native SLA support on Cases?

Any guidance, documentation, or real-world implementation examples would be greatly appreciated.

Thanks in advance.

Best answer by cmorris

So tracking Mean Time to Assign? This native Dashboard query should show MTTA across your cases:

stage stage1{
$case_id = case_history.case_response_platform_info.case_id
match:
    $case_id
outcome:
    $case_assign_time = min(if(case_history.case_activity = "ASSIGNEE_CHANGE", case_history.event_time.seconds, 9999999999999999))
    $status = array_distinct(case_history.case_activity)
    $TTA = $case_assign_time - min(case_history.event_time.seconds)

condition:
    arrays.contains($status, "CREATE_CASE") and arrays.contains($status, "ASSIGNEE_CHANGE") 
    }
outcome:
    $case_count = count($stage1.case_id)
    $MTTA = avg($stage1.TTA)/60

Ā 

3 replies

kentphelps
Staff
Forum|alt.badge.img+11
  • kentphelps
  • Staff
  • January 16, 2026

Take a look at these to see if they are of any help:

    cmorris
    Staff
    Forum|alt.badge.img+11
    • cmorris
    • Staff
    • Answer
    • January 16, 2026

    So tracking Mean Time to Assign? This native Dashboard query should show MTTA across your cases:

    stage stage1{
    $case_id = case_history.case_response_platform_info.case_id
    match:
        $case_id
    outcome:
        $case_assign_time = min(if(case_history.case_activity = "ASSIGNEE_CHANGE", case_history.event_time.seconds, 9999999999999999))
        $status = array_distinct(case_history.case_activity)
        $TTA = $case_assign_time - min(case_history.event_time.seconds)

    condition:
        arrays.contains($status, "CREATE_CASE") and arrays.contains($status, "ASSIGNEE_CHANGE") 
        }
    outcome:
        $case_count = count($stage1.case_id)
        $MTTA = avg($stage1.TTA)/60

    Ā 

      agar_s
      Forum|alt.badge.img+2
      • agar_sBronze 1
      • Author
      • Bronze 1
      • January 18, 2026

      So tracking Mean Time to Assign? This native Dashboard query should show MTTA across your cases:

      stage stage1{
      $case_id = case_history.case_response_platform_info.case_id
      match:
       $case_id
      outcome:
       $case_assign_time = min(if(case_history.case_activity = "ASSIGNEE_CHANGE", case_history.event_time.seconds, [removed by moderator] ))
       $status = array_distinct(case_history.case_activity)
       $TTA = $case_assign_time - min(case_history.event_time.seconds)

      condition:
       arrays.contains($status, "CREATE_CASE") and arrays.contains($status, "ASSIGNEE_CHANGE") 
       }
      outcome:
       $case_count = count($stage1.case_id)
       $MTTA = avg($stage1.TTA)/60

      Thank you for your help, I want to add the name of the case and the analyst name, who can I add this columns to this dashboard?

      do you know if we have doc of all of the columns we can add to dashboard?

      Thank you.

      Terms & ConditionsCookie settingsAccessibility statement
      Privacy Policy Terms of Service Gen AI Policy Community Guidelines Cookie Settings

      © 2025 Google. All rights reserved.