Hello All,
Initially, the case was marked as High priority because the first alert associated with it was High. After that alert was closed, a second alert with Medium priority was grouped into the case, and the case priority changed to Medium.
Is this the expected behavior in Google SecOps SOAR? Should closed alerts still influence the case priority.
This doc might help explain things:
Change alert priority instead of case priority
Thanks for the answer, Kent.
As per the document: Therefore, as shown in the previous example, a subsequent alert with a lower priority wouldn't override the critical priority already assigned to the case by a prior alert.
However, in my case, the priority was overridden from High to Medium, which shouldn’t be happening
Is there a playbook attached to the second alert? Is there any action like Update Case or Change Priority in there?
No, there are no explicit playbooks configured to change the case priority. However, the first alert was automatically closed by the Jira closure job we set up, which is designed to close the SOAR alert as soon as the corresponding Jira ticket is closed. One observation is that as soon as the first alert is closed by the automation, the case priority changes to match the priority of the second alert.
Enter your E-mail address. We'll send you an e-mail with instructions to reset your password.