Could you use case level context values to store the risk levels for individual events/alerts and then have a block to calculate the “case risk” level (and assigning it another context value) based on those individual risk level values? Then you only change/update the case risk level if it increases (because it would potentially change as new events/alerts come in and are added to the case) and using that to establish the case priority, for example.

Oh, I just noticed the timescale of your question. So these wouldn’t necessarily be on the same case. In that case, perhaps use a global context value or custom list with a unique value for the user (username, SID, etc), the date, and the risk level. So, for example:
cyrus.robinson_20230309_5

I’m responding from mobile, so I apologize if I’m not being clear, but hopefully this gives you an idea of how you might accomplish this in a block that calculates for each alert or case.

Hey @Cyrus_Robinson , thanks for the response. when you say custom list, are you talking about list manager within Chronicle or somethhing outside of it. Sorry a bit confused

Apologies for the delayed response. I've been out of town. We're upgrading to 6.x this week, so I don't recall if it's named list manager or something different in that release, but I mean Custom Lists under Environments.

View files in slack

Ahh got you! you are correct. I was talking about the list manager in Chronicle SIEM.

So maybe this is way out there. What if there was a seperate DB that your SOAR could write to. Your Day 1 event creates the user data record with the score. Day 7 the user exists in the DB and so you increment the score. Day 10, same. The playbook just increaments to the score until you hit your threeshold and then it raises the alert/case. I have on my list of things to do an external DB for some other use cases that I am looking at. I need a few issues resolved before I get a chance to try it out, and what I was thinking of try is a lot more simple. But I still I need more of a table function than a list function. I didn't want to use Air Table or Google Sheets for this.

I totally agree that a table feature would be a great thing to have in ChronicleSOAR/Siemplify !

yeah Google sheet can only be public which is a bummer . I think this needs to be a feature req tbh. I was thinking about pushing it to AWS S3 but it brings unnecessary complexity also we need to use access/secret keys for the integration. Not comfortable with that. It'll be nice to have a role based access

I'm thinking of it a little differently but yet to be tested out.
* Create detection rules for individual alerts(A1= mass cloning on our repos, A2, the user sending email from company email to his personal etc)
* Attach risk score with these detections and push it to Chronicle list manager using the reference list API from Chronicle SOAR (for ex - A1, time, userA, riskscore10 etc etc)
* Run another detection rule(every 1 hour or so) which just looks at the reference list and fires an alert when the threshold is breached.
This way I sort of get to do all the detection within the SIEM itself. Maybe I can build a dashboard too in future