How to update alert decryption using playbook/blocks
i used tools- add/update alert - and passed json{"description": "test -updated description"}
it showed -success
and i used fetch original alert ... but i could see previous description
How can i see the new updated description ?
is there any other standard way of doing?
The action under tools - add/update alert is not working
is it working ?
Please help me if its working
Hi @vanitharaj1208, alerts usually (by design) cannot be edited once ingested. Meaning you cannot change data returned by the source.
However, you can add and edit additional data with the Add Or Update Alert Additional Data from Tools PowerUp. This data won't become part of the original alert, but you can use it later in your actions.
Just for example, it does not allow you to change Alert.IP, but you can add your data (and change it later), for example, Alert.OFFENSE_ID.dict.IP
To summarise:
1. You can't edit alert original data that comes from the connector that took it from the source;
2. But you can add and edit additional data associated with an alert that is not a part of the alert original data
----
If you need to manipulate / translate / parse data within alert prior to ingestion you can use:
1. Mapping with regex (that will allow you to parse something specifically for later use)
2. Customise connector (or submit Feature Request for it), so while ingesting alert it will change the data as needed
@f3rz i was also not able to add additional data ... i was not able see the field OFFENSE_ID
@vanitharaj1208 could you please show how you executing an action (screenshot)? Also, have you tried to search for your value in Alert data (see screenshot):
@vanitharaj1208 could you please show how you executing an action (screenshot)? Also, have you tried to search for your value in Alert data (see screenshot):
the action gets executed but when i searched in event i was not able see
the action gets executed but when i searched in event i was not able see
Hi @vanitharaj1208, what I meant is if you could attach data(JSON) that you pass to that action? So I can validate it on my end.
Hey,
you can just use the action: Tools - Change Case Name then you only need the field where you can find a descriptive name or something else. A good indication provide also the onthology.
Then build a "check" condition and let the action run
You can use the API to accomplish this. First, I recommend testing it in Swagger. To access the Swagger UI, URL is https[:]//YourSecOpsConsoleURL/swagger/index[.]html
Once you’re in Swagger, look for the POST method dynamic-cases/ChangeCaseDescription under Case Management.
After testing and confirming it works as expected, you can set up a playbook to automate calling this API as needed.
Enter your E-mail address. We'll send you an e-mail with instructions to reset your password.