Question

UDM case.alertes.entities in a graph

Forum|Forum|1 month ago
October 28, 2025
4 replies
50 views

Evrard
New Member

Hello,

I have been asking to do a dashboard about our Cases. It must prompt specifics cases‘s entities names but I keep struggling.

This is what I did so far, but I did not found any more information over the documentation except this https://docs.cloud.google.com/chronicle/docs/reference/soar-data-dashboard#soar-involved-entities

case.tags.name="phishing"

outcome:
$case = case.display_name
$name = case.alerts[0].entities[0].name
$type = case.alerts[0].entities[0].type

I guess that both alerts & entities are somewhat lists but I don’t understand who deep dive in it.

Thank for your time.

+1

vincelec
Staff
Forum|Forum|1 month ago
October 29, 2025

I guess you are looking to display the entity.

Can you try the following field?

case.alerts.entities.identifier

Like

+1

vincelec
Staff
Forum|Forum|1 month ago
October 29, 2025

Can you try the following field:

case.alerts.entities.identifier

Like

Evrard
Author
New Member
Forum|Forum|1 month ago
October 30, 2025

even like that it’s not working

case.tags.name = /typosquatting/

outcome:

$event = array_distinct(case.alerts.entities.name)

order:

$event desc

Like

+12

AbdElHafez
Staff
Forum|Forum|1 month ago
October 31, 2025

@Evrard You could use this as an example ;

match:

    case.alerts.entities.identifier , case.name

outcome:

    $count=count(case.name)

    $arr_alertsMeta = array(case.alerts.metadata.id)

//Reference:https://cloud.google.com/chronicle/docs/reference/soar-data-dashboard#cases-and-alerts

Like

Sign up

Login with SSO

Login to the community

Login with SSO

Scanning file for viruses.

This file cannot be downloaded