Manage tags in cases and alerts

This document explains how to manage tags in Google Security Operations cases.

Tags help classify and organize cases for easier filtering and analysis. They can be assigned automatically based on predefined rules or added manually from the case and alert views.

While you can remove tags from individual cases, the tags themselves remain available in the system's autocomplete list unless an administrator removes them from the table in the Case Data > Tags settings.

You may also want to import tags—for example, when migrating from a staging to a production environment or for backup purposes. For more information, see Import tags.

Manage tags in cases and alerts

Tags help you track and categorize your cases. You can quickly identify cases by searching for them by their tags.

You can manage tags from the following places:

• Case or Alert: Manually add and remove tags from a specific case or an individual alert.
• Main menu: Click Settings > Case Data > Tags. For more information, see Create an automatic tagging rule.
• Playbooks: Trigger a playbook on a tag name using the tag trigger. You can also add a case tag to a playbook block: select a playbook block, click Open Step Selection, and in the Triggers tab, select Tag Name.

Add a tag to a case

 To add a tag to a case, follow these steps:

1. Go to the Cases page and select a case you want to tag.
2. Click sell Manage Tags.
3. In the Manage Tags dialog, enter the name of the tag and press Enter, or select a tag from the list and click Add.

Add a tag to an alert

To add a tag to an alert, follow these steps:

1. Go to the Cases page and select a case.
2. Select the alert you want to tag.
3. Click more_vert Alert Options and then select Manage tags.
4. In the Manage Tags dialog, enter the name of the tag and press Enter, or select a tag from the list and click Add.

Alert tag behavior during case changes

Manually assigned alert-level tags remain attached to the specific alert during case management actions:

• Moving alerts: If you move an alert to a different case, any tags manually assigned to that alert move with it.
• Merging cases: When cases are merged, individual alerts within the consolidated case retain their manually assigned alert-level tags.

Configure tag settings

Import tags

To import a tag, follow these steps:

1. Go to SOAR Settings > Case Data > Tags.
2. Click vertical_align_bottom Download template. The CSV file shows the required tag import structure.
3. Enter the tag information.
4. Click login Import. The imported tags should appear in the platform.

Remove a tag from autocomplete

To prevent a tag from appearing in autocomplete suggestions, you must remove it from the Tag table in the Case Data settings.

1. Go to SOAR Settings > Case Data > Tags.
2. Locate the tag in the table and click delete Delete.

Create an automatic tagging rule

To create a rule that automatically assigns tags to incoming alerts based on specific conditions, follow these steps:

1. Go to SOAR Settings > Case Data > Tags.
2. Click add Add Tag.
3. In the Tag name field, enter a name for the tag.
4. Select a match source from Entities, Product, Rule Generator and Vendor.
5. From the menu, choose a qualifier that defines how to match the value:
• contains
• exact
• starts with
• ends with
6. Select the specific entity or product source. Enter the appropriate Property and Value, if applicable. Alternatively, select the Product, Rule Generator, or Vendor.
7. Select the priority for the tag.
   Note: Google SecOps merges priority with other alerts and entities and events so that the priority here is not an absolute.
8. Optional: Select Can be a case name if required. When selected, the tag is assigned as the title of the case if it meets the conditions.
9. Click Save.