Skip to main content

We have onboarded alerts from a 3rd party security product in SIEM. We have a single detection rule which monitors those events and creates cases in SOAR. By default the case name and severity is assigned as rule name and severity (meta section) in the detection rule.

The events from the security product contain different kind of alerts and associated severitu and extracted those values in security.event fields and we have mapped to outcomes section as below,

detection.outcomes.rule_detection and detection.outcomes.severity

Does SecOps having the capability to dynamically  assign the case name and severity based on the field values in outcomes section rather than the default values provided in YARA-L rule?

As alerts flow to the case management system, you can optionally add playbooks to enable enrichment and automated response. Playbooks can rename cases (using fields from the alert), along with changing the severity using the underlying severity from the vendor's detection. Both change alert/case name and change severity are available as actions in the SOAR.


-mike

Best way to do is create a block which will assign dynamic case name with case id (use actions to assign case name)

and even for severity you can create a block .

when you create a playbook , add these 2 blocks at the beginning. 

you can custom case name and severity based on the use case!!

Reply


Terms & ConditionsCookie settings
Privacy Policy Terms of Service Gen AI Policy Community Guidelines Cookie Settings

© 2025 Google. All rights reserved.