Skip to main content

Create Alert in a Playbook

  • April 23, 2025
  • 2 replies
  • 78 views
mikelmi01
Forum|alt.badge.img+5

In a playbook that was activated by an alert from a specific Product, I am trying to create an alert in a different environment. I've been trying to do that through an Execute HTTP Request Action.That action, which includes the following json in the Body Payload, is able to create an alert:

{
    "name": "CRITICAL DOMAIN DETECTED FROM Px",
    "environment": "MetR",
    "rule_generator": "Playbook MetR Px",
    "alert_identifier": "Px-[Case.Id]-[EntityIdentifier]",
    "priority": 90,
    "start_time": "2025-04-15T14:00:00Z",
    "events": [
      {
        "event_name": "Event_No_Name",
        "type": "Event_No_Name",
        "severity": 4,
        "source": "Px",
        "device_product": "Teleg"
      }
    ],
    "entities": [
      {
        "identifier": "[Functions_Extract_IOCs_1.ScriptResult]",
        "entity_type": "DOMAIN"
      }
    ],
    "custom_fields": {
      "detected_from": "Px",
      "source_case": "[Case.Id]",
      "playbook_origin": "AlertsTelegPx",
      "extracted_domains": "[Functions_Extract_IOCs_1.ScriptResult]"
    }
  }
 
However, the alarm is created with no entities. I would like to have the alert be generated with the exact same entities as the alert that activated the playbook. I thought that by adding in the json the entities with the [Functions_Extract_IOCs_1.ScriptResult], which is the result of an action where we successfully can see all the entities of the initial alarm would be enough, but it isn't. Is it possible to be done in any way?

2 replies

ylandovskyy
Staff
Forum|alt.badge.img+16
  • ylandovskyy
  • Staff
  • April 23, 2025

Hey @mikelmi01 ,

My suggestion would be to recreate the same alert in an identical way. I've never tried to create an alert from within playbook, but what you can explore is to run the action "Get Original Alert JSON" in Tools integration to get the Alert object.

If you will not be able to take the whole object as payload for API request, then at least you can take the same events and then the same mapping will create alert with the same entities.

So, in the end you will create a new alert that will have the same events, but because they are the same events, they will create same entities as mapping didn't change.

Let me know, if this makes sense.

SoarAndy
Staff
Forum|alt.badge.img+12
  • SoarAndy
  • Staff
  • April 25, 2025

Considering the Alert you pushed to the API, this will go through ontology and mapping.  This process is Environment spefic, and so you *might* get different behaviour.

Under the new Alert, check the Event, and check mappings, see which is green, what is found.  Then you can either change the JSON that is pushed, or change the mappings to suit

 

Edit - I don't see Source vendor, source system, (etc) in that payload. This is how SOAR detects which ontology to map.  As with my first statement, if your Alert1 comes from SIEM vendor xyz it will apply the specific ontology.  If Alert2 (your JSON payload) doesn't have the same keys, SOAR will apply a different ontology mapping)

Terms & ConditionsCookie settingsAccessibility statement
Privacy Policy Terms of Service Gen AI Policy Community Guidelines Cookie Settings

© 2025 Google. All rights reserved.