This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
Log in to ask a question
Announcements
Webinar May 14th: Gemini's generative AI within Google SecOps
Webinar May 29th: Log Ingestion: Bindplane + Google SecOps
Log in to ask a question

Managing multiple alerts in a single case

Posted on 10-18-2023 02:05 AM
AThebrand
Bronze 2
Bronze 2
Reply posted on --/--/---- --:-- AM

Hi everyone.

today I've come across a problem that I don't know how to solve. 

In my SOAR instance, I've configured the Chronicle Alerts Connector to retrieve alerts from Chronicle SIEM. Every time the alerts come to the SOAR they are grouped into a case. 

I've written a playbook that is automatically attached to alerts coming from SIEM and made some operations. At the end, this playbook will open a Jira ticket. This is done for every alert on the case.

I was wondering if there is a way to create a ticket just for the case and not for all alerts grouped in it.

Thank you in advance.

Solved Solved
0 2 1,907
Topic Labels
Jump to Solution
0 Likes
1 ACCEPTED SOLUTION

Posted on --/--/---- --:-- AM
EricMalzahn
Bronze 3
Bronze 3
Reply posted on --/--/---- --:-- AM

We had this problem at one of my previous companies.  The connector was SentinelOne and the ticketing system was ServiceNow.  We definitely wanted to group alerts into cases but only have one ServiceNow ticket per case.  We worked with Siemplify professional services to create an action that would determine if an alert was the first one in a case.  A conditional then would lead to a ServiceNow action if "true" was returned.  

This work may be now contained with in the Tools Power Up in the SOAR Marketplace.  See if "Find First Alert" in Tools does what I'm describing.  Either way, it's possible though.

View solution in original post

Jump to Solution
2 REPLIES 2

Posted on --/--/---- --:-- AM
Louis_Mesmin
Bronze 3
Bronze 3
Reply posted on --/--/---- --:-- AM

Dear @AThebrand,

I can see multiple approach here:
1) You can configure the case aggregation mecanism in order to stop alerts being aggregated into the same case.
2) If I'm not mistaken, you can configure a playbook in order to run only for the first alert in a case.
3) In your playbook, you can close the alert (and so case will be closed if it's the latest alert in the case) after creating the Jira ticket so that any new alert will create a new case.

That being said, your playbook use-case is not very clear to me so maybe my answers are not relevant.
In our deployment we are more using a one playbook per type of alert and we are attaching other playbooks from the first one if needed.
In this situation, we are very glad that our playbooks are triggered per alert and not per case 😉

Louis

Jump to Solution
0 Likes

Posted on --/--/---- --:-- AM
EricMalzahn
Bronze 3
Bronze 3
Reply posted on --/--/---- --:-- AM

We had this problem at one of my previous companies.  The connector was SentinelOne and the ticketing system was ServiceNow.  We definitely wanted to group alerts into cases but only have one ServiceNow ticket per case.  We worked with Siemplify professional services to create an action that would determine if an alert was the first one in a case.  A conditional then would lead to a ServiceNow action if "true" was returned.  

This work may be now contained with in the Tools Power Up in the SOAR Marketplace.  See if "Find First Alert" in Tools does what I'm describing.  Either way, it's possible though.

Jump to Solution