This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
Log in to ask a question
Announcements
Check out the new Professional Security Operations Engineer certification beta!
Log in to ask a question

overflow cases

Posted on 10-03-2024 05:35 PM
vanitharaj1208
Silver 2
Silver 2
Reply posted on --/--/---- --:-- AM

Overflow Cases and Alert Grouping 

Questions :

1. Can you link an overflow case back to the original case? How do you identify what the original case is when dealing with an overflow case?

2. When you have an overflow case, the ontology mapping and entity mapping are both skipped. How can you recover this data? 

3. Can you break out an alert from an overflow case, and bring it to a different case? Can you recover the alert data 

4. When a playbook is attached to an overflow case alert, can this playbook refer back to the original overflowed case?

5. How do playbook runs change with overflow cases? What will break?

Solved Solved
1 2 347
Topic Labels
Jump to Solution
1 ACCEPTED SOLUTION

Posted on --/--/---- --:-- AM
f3rz
Staff
Reply posted on --/--/---- --:-- AM
Q1. Can you link an overflow case back to the original case? How do you identify what the original case is when dealing with an overflow case?
A1. If you mean transfer or merge to be a regular case it is not possible. To identify what is the cause of overflow usually you need to review data source and what incident in past X hours were ingested or prior to creation of overflow case.

Q2. When you have an overflow case, the ontology mapping and entity mapping are both skipped. How can you recover this data? 
A2. It is not supported currently in a product. Overflow case is sort of notification that tells you that you had issue with same/similar data being ingested too many times and caused overflow.
You can try to think of re-creating connector with Max Time Backwards set that was so it will cover those alerts, but there's a high chance (90%+) that it will be another overflow.

Q3. Can you break out an alert from an overflow case, and bring it to a different case? Can you recover the alert data 
A3. No, it is not possible. Overflow cases and alerts in them doesn't have the actual data you need for a regular alert / case.

Q4. When a playbook is attached to an overflow case alert, can this playbook refer back to the original overflowed case?
A4. Playbooks cannot be attached to the overflow cases automatically only manually. Since Overflow Alert/Case does not hold actual alert information everything related to interruction with this data wouldn't work.

Q5. How do playbook runs change with overflow cases? What will break?
A5. Same as A4.
 
 
Overall idea is to make ingestion that was that it won't produce any overflow cases. 

View solution in original post

Jump to Solution
2 REPLIES 2

Posted on --/--/---- --:-- AM
f3rz
Staff
Reply posted on --/--/---- --:-- AM
Q1. Can you link an overflow case back to the original case? How do you identify what the original case is when dealing with an overflow case?
A1. If you mean transfer or merge to be a regular case it is not possible. To identify what is the cause of overflow usually you need to review data source and what incident in past X hours were ingested or prior to creation of overflow case.

Q2. When you have an overflow case, the ontology mapping and entity mapping are both skipped. How can you recover this data? 
A2. It is not supported currently in a product. Overflow case is sort of notification that tells you that you had issue with same/similar data being ingested too many times and caused overflow.
You can try to think of re-creating connector with Max Time Backwards set that was so it will cover those alerts, but there's a high chance (90%+) that it will be another overflow.

Q3. Can you break out an alert from an overflow case, and bring it to a different case? Can you recover the alert data 
A3. No, it is not possible. Overflow cases and alerts in them doesn't have the actual data you need for a regular alert / case.

Q4. When a playbook is attached to an overflow case alert, can this playbook refer back to the original overflowed case?
A4. Playbooks cannot be attached to the overflow cases automatically only manually. Since Overflow Alert/Case does not hold actual alert information everything related to interruction with this data wouldn't work.

Q5. How do playbook runs change with overflow cases? What will break?
A5. Same as A4.
 
 
Overall idea is to make ingestion that was that it won't produce any overflow cases. 
Jump to Solution

Posted on --/--/---- --:-- AM
vanitharaj1208
Silver 2
Silver 2
In response to f3rz
Reply posted on --/--/---- --:-- AM

Thank you @f3rz 

Jump to Solution
Top Solution Authors
View all