This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
Log in to ask a question
Log in to ask a question

How to Create new case [from existing 2 cases with IOC or Combine 2 cases ] is it possible ?

Posted on 01-31-2025 01:15 PM
vanitharaj1208
Silver 2
Silver 2
Reply posted on --/--/---- --:-- AM
  1. How create new cases based on information coming from multiple connectors, such as Mandiant and Exchange, with each connector providing different IOCs And then, within those cases, have specific playbooks run based on the IOCs pulled from each connector?

 

0 2 199
Topic Labels
0 Likes
2 REPLIES 2

Posted on --/--/---- --:-- AM
josemarin
Staff
Reply posted on --/--/---- --:-- AM

Can you provide more details to your use case?

Do the alerts being created by both connector have completely different entities between them? If so, what would be the criteria to group both alerts together? 

Do you want to merge the alerts of both cases within 1 single case? or do you want to create a new case with a single alert that has all the information from the original alerts? 




0 Likes

Posted on --/--/---- --:-- AM
SoarAndy
Staff
Reply posted on --/--/---- --:-- AM

If both connectors are enabled, you will get 2 Alerts.  If they match on Alert Grouping (e.g. within x hours AND have an entity in common) they go into 1 case.  In your example you didn't elaborate on how you hope they will group, automatically or are you building logic into the playbook to handle this manually?

I don't see a playbook Trigger for specific Indicator.  Maybe you would run a master playbook which uses 'Attach playbook' based on logic (though remember the playbook view is based on first playbook so the majority of logic should be there)

0 Likes
Top Solution Authors
View all