Hi,
we have several sources of alerts integrated in the SOAR. We'd like that, when we close the case in the SOAR, we could automatically close the alert in the origin (like SIEM, MS Defender, etc.). We can execute a playbook manually but we'd like to automate this...
As we cannot create a trigger for this in a playbook, do you know if we can create a job to check this every XX minutes/hours? Is this possible? Any idea?
Thanks!
M.
it all depends on how you are using the playbooks. We, as a MSSP, use playbooks to weed out false positives/known issues and perform Tier1 actions before cases get to the the analysts for deeper analysis. If deemed false positive/known issue, we put the product close alert/incident action prior to the SOAR close alert in that branch of the playbook.
I don't believe that you can use an Integration action in a job. That would most likely have to be coded from scratch.
Please let me know if you've found the answer.
Many of the Integrations in the marketplace have a Job to monitor for closures and sync to the remote platform
e.g.
For integrations where this does not exist you can log a feature request, or potentially implement one using the IDE
Failing that, yes I would consider adding "close incident" action into your playbooks at the end.
I hope this helps
Andy
Hi all
yes, as @SoarAndy says, for Chronicle incidents I'm using this job, and for other sources (Cortex, MS Defender, etc), the integrations have an update incident action or similar, so I have developed a playbook "Close Alert" which test the alert's source and close the incident and the alert.
Enter your E-mail address. We'll send you an e-mail with instructions to reset your password.