Skip to main content

Hi All,

 

@DAYJOB we’ve been working on prioritization and classification of alerts and incidents within the organization. One thing we’ve noticed when looking through metrics is that when an incident is raised for a ticket, it also changes the priority of the ticket:

 

 

As shown below, the priority of the ticket is changed by default to Critical:

 

Is there a way to disable this functionality? We don’t classify every incident as a critical ticket and this throws off the metrics which we use to report to the leadership team. 

 

Any advice would be appreciated. TIA.

Kyhle

Hey ​@_K_O, as I understand it, there's no way to prevent this behavior. When a case is converted to an incident, the SOAR platform automatically assigns it a Critical severity. I acknowledge that this automatic escalation doesn't always reflect the true urgency of the incident.

Here are the likely reasons for this behavior. Presumably, Google/Siemplify opted for this approach because the platform was originally designed to handle security cases which, once they become incidents, are inherently critical. Alternatively, it could be a holdover from a previous version of the SOAR that had a dedicated incident management section.

Btw, to reach your goals, you can try to use the “tags” (Below an excerpt from the case section showing the tags) and a bit of creativity.

 

This is the full shopping list:

  • Custom playbook views.
  • Tags.
  • Advanced reports.

Custom playbook views and Tags

First of all, create a custom playbook view or update yours. Add a “Quick Actions” and from there add a new button. This is how you can configure a button that will add the given tag to the case:

Once saved, you should have something similar to the following: 

 

The final result within the alert view would be something similar to the following:

 

Note that you can add another quick action to update the case priority too, if you don’t like the native way.

 

Advanced reports

With the operational goal met, we now need to report to the leadership team. This report must frame the incident using your custom standard, not the native one.

To do so:

  1. Create a custom advanced report.
  2. Add a visualization and choose Vw Dashboard Cases.
  3. Search the field tag and add it as filter and value, this is where you’ll put the tag of your interest (e.g.: Incident).
  4. Search the fields case priority str and case title, and add them as value.

The fields shown here are just a Proof of Concept. Feel free to customize them as needed.

Now, you should see something similar to the following screenshot where I’ve highlighted the most important parts:

 

Save this to create a starting point for your report. You can apply various customizations, such as filtering, texts, images, visualizations of all sorts, etc. Once complete, you can manually download the report or schedule its automated email delivery via the SOAR.

 

I hope this helps.
Cheers.

@masterdisruptor  thank you for the detailed response, that just might work for our use case! Appreciate the help :) 

@masterdisruptor  thank you for the detailed response, that just might work for our use case! Appreciate the help :) 

You’re welcome! 😀

Terms & ConditionsCookie settingsAccessibility statement
Privacy Policy Terms of Service Gen AI Policy Community Guidelines Cookie Settings

© 2025 Google. All rights reserved.