This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
Log in to ask a question
Announcements
Webinar May 14th: Gemini's generative AI within Google SecOps
Webinar May 29th: Log Ingestion: Bindplane + Google SecOps
Log in to ask a question

Managing multiple alerts in a single case

Posted on 10-18-2023 02:05 AM
AThebrand
Bronze 2
Bronze 2
Reply posted on --/--/---- --:-- AM

Hi everyone.

today I've come across a problem that I don't know how to solve. 

In my SOAR instance, I've configured the Chronicle Alerts Connector to retrieve alerts from Chronicle SIEM. Every time the alerts come to the SOAR they are grouped into a case. 

I've written a playbook that is automatically attached to alerts coming from SIEM and made some operations. At the end, this playbook will open a Jira ticket. This is done for every alert on the case.

I was wondering if there is a way to create a ticket just for the case and not for all alerts grouped in it.

Thank you in advance.

Solved Solved
0 2 1,911
Topic Labels
Jump to Solution
0 Likes
1 ACCEPTED SOLUTION

Posted on --/--/---- --:-- AM
EricMalzahn
Bronze 3
Bronze 3
Reply posted on --/--/---- --:-- AM

We had this problem at one of my previous companies.  The connector was SentinelOne and the ticketing system was ServiceNow.  We definitely wanted to group alerts into cases but only have one ServiceNow ticket per case.  We worked with Siemplify professional services to create an action that would determine if an alert was the first one in a case.  A conditional then would lead to a ServiceNow action if "true" was returned.  

This work may be now contained with in the Tools Power Up in the SOAR Marketplace.  See if "Find First Alert" in Tools does what I'm describing.  Either way, it's possible though.

View solution in original post

Jump to Solution
2 REPLIES 2