Hello SecOps Community!
We are excited to announce that Support for SOAR Custom Fields in Native Dashboards is now generally available and enabled for all customers!
What are SOAR Custom Fields?
While SecOps Native Dashboards have long supported querying a comprehensive set of standard SOAR fields (such as case names, priorities, assignees, and stages) to track alerts and cases, we know that every organisation's incident response process is unique. SOAR custom fields allow your team to capture specific business contextsβsuch as an affected business unit, internal tracking IDs, or specific threat tags.
This update officially extends our existing standard SOAR data capabilities. You can now seamlessly query dynamically created SOAR custom fields directly within the native dashboard platform. Analysts can leverage YL2 queries to read, filter, and aggregate data based on these unique business contexts.
Note: For historical reference on the initial implementation specifications, you can check the documentation titled "Google SecOps Dashboards Dashboards SOAR custom fields (Preview) (2).pdf".
π οΈ Key Specifications & How It Works
-
Data Availability: This feature is accessible for data beginning January 1, 2025.
-
Field Support: It supports both text-based (including multi-select) and time-based (calendar/timestamp) custom fields.
-
Unified Format: Access these fields using a standardised path:
case.custom_fields["field name"].
π Query Syntax & Field Types
To use custom fields in your dashboards, reference the specific data type associated with the field:
-
String / Text:
case.custom_fields["field_name"].string_seq.string_valsΒ
-
Time / Calendar:
case.custom_fields["field_name"].time_val.secondsΒ
π‘ Common Use Case Scenarios
Below are sample YL2 queries to help you get started with filtering and aggregating your SOAR data:
-
Count Cases Post-Filtering: Filter on custom fields to aggregate metrics, such as defining
$impact = case.custom_fields["business impact"].string_seq.string_valsand counting cases where$impact = "high"or"critical". -
Multi-Condition Filtering: Combine standard logic with custom fields, such as listing all cases where the business impact is critical and a custom
sla deadlineis post 25th April. -
Grouping on Custom Values: Extract case details (e.g., where the display name starts with 'Soma') and group the results dynamically by a custom "reporter" field.
-
Case-Insensitive Checking: Use the
nocasemodifier to list cases matching a specific string regardless of capitalisation (e.g., matching "Bob", "BOB", or "bob").
β οΈ Important Guardrails & Limitations
To ensure optimal dashboard performance and data integrity, please keep the following operational constraints in mind:
-
Case Sensitivity: By default, custom field names and values are case-sensitive. Queries must precisely match the original casing unless
nocaseis applied. -
Truncation: Custom field values in dashboards are subject to a 1024-character total limit. Multi-select fields exceeding this will be truncated.
-
Field Limits: There is a maximum of 1,000 custom fields per case or alert, and field names are limited to 255 characters.
-
List Options: While you can define up to 500 options for a list, Google SecOps only receives the selected values.
-
Current UI Limitations: Auto-suggestion (auto-discovery) of custom field names in the query editor is not supported, nor are dropdown menus for custom field columns.
We can't wait to see how you leverage these extended capabilities to build more tailored, context-rich security dashboards. Let us know your thoughts or share your favorite use cases in the comments below!
