I need some help for the following problem. We would like to add an analyst opinion or comment during the investigation. That means if we close a Case via Playbook action in Defender or other EDR like Crowdstrike I would like to add the Analyst Comment as Resolution comment.
Is there a way to give the analyst the oportunity to enter something as action and then this will be used as a comment later on ?
If so what is the best way to do this ?
Regards,
@gsec cases cannot be updated after they are closed. So the only way analyst can do comment is by re-opening closed automatically case.
I recommend you to request for a feature by opening Support Case.
I'll throw a few ideas out. Perhaps they may be helpful.
For both CS and MS, I see update incident options and CS has some additional options but close case does not appear to be there.
I'm wondering if you could perform one of these updates in your playbook and then add a case comment block (for auto-comment) or and instruction block asking an analyst to take some action before closing...Not sure if that fits into your workflow but a few things that jump to mind.
Hi ,
You can use Create Siemplify Task under Tools Integration (Tools - Create Siemplify Task) , this will create a task for analysts you can give instruction to add comments to give Resolution and analyst can add comments and mark it as done.
or simply use Siemplify_Case Comment and set it to manual action then add instruction to a analysts to provide Resolution.
Hey,
thanks for the comments. The Action Instruction has a JSON Result as Outcome therefore you can use this in other Steps of the playbook and that is everything what I need.
@vanitharaj1208 that is also a good alternative.
Regards,
Enter your E-mail address. We'll send you an e-mail with instructions to reset your password.