Managing case stages via playbook for cases with multiple alerts

Is there a good way to be able to manage case stages via playbooks where cases have multiple grouped alerts?

We're using case stages to calculate metrics such as MTTR. 

If we have a case with a single alert, then we can make the alert playbook change the case stage to "Resolved" as part of closing the alert. But if a case has multiple alerts, we need that to only happen once the last alert on the case is resolved.

We can't see any supported way to achieve this, such as a way to add conditional logic to a playbook based on the status of all other alerts in the same case.

How are others handling this scenario?

Solved Solved
0 1 276
1 ACCEPTED SOLUTION

@effytw there's an action Find First Alert in Tools powerup that might be slightly edited for this need:

From:

siemplify.case.alerts.sort(key=lambda x: x.creation_time)

To:

siemplify.case.alerts.sort(key=lambda x: x.creation_time, reverse=True)

This will allow you to use Condition by comparing AlertIdentifier returned by an action next to a current, and if lastAlert = currentAlert, do stage transitioning. 

The only problem that might be happening here is that a new alert may be ingested during the action run. So maybe leaving this step to the analyst as a manual action is better. 

View solution in original post

1 REPLY 1

@effytw there's an action Find First Alert in Tools powerup that might be slightly edited for this need:

From:

siemplify.case.alerts.sort(key=lambda x: x.creation_time)

To:

siemplify.case.alerts.sort(key=lambda x: x.creation_time, reverse=True)

This will allow you to use Condition by comparing AlertIdentifier returned by an action next to a current, and if lastAlert = currentAlert, do stage transitioning. 

The only problem that might be happening here is that a new alert may be ingested during the action run. So maybe leaving this step to the analyst as a manual action is better.