This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
Log in to ask a question
Announcements
Webinar May 29th: Log Ingestion: Bindplane + Google SecOps
Log in to ask a question

Close Source alert while closing SOAR case

Posted on 03-13-2024 04:13 PM
migueltubia
Bronze 3
Bronze 3
Reply posted on --/--/---- --:-- AM

Hi,

we have several sources of alerts integrated in the SOAR. We'd like that, when we close the case in the SOAR, we could automatically close the alert in the origin (like SIEM, MS Defender, etc.). We can execute a playbook manually but we'd like to automate this...

As we cannot create a trigger for this in a playbook, do you know if we can create a job to check this every XX minutes/hours? Is this possible? Any idea?

Thanks!

M.

Solved Solved
0 4 545
Topic Labels
Jump to Solution
0 Likes
1 ACCEPTED SOLUTION

Posted on --/--/---- --:-- AM
SoarAndy
Staff
Reply posted on --/--/---- --:-- AM

Many of the Integrations in the marketplace have a Job to monitor for closures and sync to the remote platform

e.g.

SoarAndy_0-1727447653698.png

For integrations where this does not exist you can log a feature request, or potentially implement one using the IDE

Failing that, yes I would consider adding "close incident" action into your playbooks at the end.

I hope this helps

Andy

View solution in original post

Jump to Solution
4 REPLIES 4
Top Solution Authors
View all