This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
Log in to ask a question
Log in to ask a question

Simulating a Case with Multiple Alerts via API

Posted on 05-12-2025 12:54 AM
surajsingh12312
Bronze 1
Bronze 1
Reply posted on --/--/---- --:-- AM

I am trying to simulate cases for testing playbook execution flows by ingesting alerts into a Test Environment. For the cases containing multiple Alerts, there is a flag in SimulateAlert api that I think would solve the issue but it isn't working and the individual alerts are being created as separate cases instead of a merged alert case.

{
"caseId": 0,
"alertIdentifier": "string",
"environment": "string",
"shouldDoGrouping": true,
"fieldsToReplace": {
"additionalProp1": "string",
"additionalProp2": "string",
"additionalProp3": "string"
}

Is there any other way I can try to Simulate Cases with multiple alerts via API.
Another issue is that the SimulateAlert endpoint doesn't give any response back. It would be much helpful if it can give back anything like Case ID of the case that was ingested as Test Alert in the response so that it can be used further for reference. 

0 3 225
Topic Labels
0 Likes
3 REPLIES 3

Posted on --/--/---- --:-- AM
ylandovskyy
Staff
Reply posted on --/--/---- --:-- AM

Hey @surajsingh12312 ,

Can you explain the use case? What is the need for a simulated case with multiple alerts? Currently, playbooks are executed on specific alerts, does it mean that your playbook will extract data from more than 1 Alert?

0 Likes

Posted on --/--/---- --:-- AM
surajsingh12312
Bronze 1
Bronze 1
Reply posted on --/--/---- --:-- AM

Hi @ylandovskyy , Yes I want to test playbooks on multiple alerts that are grouped together in one case. What I want to is to simulate the whole case so that the grouped alerts also gets grouped in simulation.
For example - Case 1 contains (Alert 1 and Alert 2)
Since there is no option to simulate the whole case via API, I am simulating Alert 1 and Alert 2. Which gets created as Case New 1 - Alert 1 and Case New 2 - Alert 2. Is there any option with API, using which I can group these alerts into one - Case Simulation - Alert 1 and Alert 2

0 Likes

Posted on --/--/---- --:-- AM
ylandovskyy
Staff
In response to surajsingh12312
Reply posted on --/--/---- --:-- AM

I am not sure there is a way to create a "Simulated Cases" with 2 alerts and I want to make sure that our terminology is aligned. In this situation the simulated case actually means "test" case. In the platform it's highlighted like this:

ylandovskyy_0-1747220631737.png

This is the "Case" that can be used in Playbook Simulator.

But you can still create a pre-grouped case, it just won't be a "test" case. 

ylandovskyy_1-1747220747993.png

You can export the existing examples of "Simulated Cases". It will be a Case JSON object, which you can fully tweak. You can put more than 1 alert with its own events there. When everything is done, you can import it back in the system and use for testing purposes.

 

0 Likes
Top Solution Authors
View all