Skip to main content

How to Create new case [from existing 2 cases with IOC or Combine 2 cases ] is it possible ?

  • January 31, 2025
  • 2 replies
  • 26 views
vanitharaj1208
Forum|alt.badge.img+14
  1. How create new cases based on information coming from multiple connectors, such as Mandiant and Exchange, with each connector providing different IOCs And then, within those cases, have specific playbooks run based on the IOCs pulled from each connector?

 

2 replies

josemarin
Staff
Forum|alt.badge.img+3
  • josemarin
  • Staff
  • February 3, 2025

Can you provide more details to your use case?

Do the alerts being created by both connector have completely different entities between them? If so, what would be the criteria to group both alerts together? 

Do you want to merge the alerts of both cases within 1 single case? or do you want to create a new case with a single alert that has all the information from the original alerts? 




SoarAndy
Staff
Forum|alt.badge.img+12
  • SoarAndy
  • Staff
  • February 7, 2025

If both connectors are enabled, you will get 2 Alerts.  If they match on Alert Grouping (e.g. within x hours AND have an entity in common) they go into 1 case.  In your example you didn't elaborate on how you hope they will group, automatically or are you building logic into the playbook to handle this manually?

I don't see a playbook Trigger for specific Indicator.  Maybe you would run a master playbook which uses 'Attach playbook' based on logic (though remember the playbook view is based on first playbook so the majority of logic should be there)

Terms & ConditionsCookie settingsAccessibility statement
Privacy Policy Terms of Service Gen AI Policy Community Guidelines Cookie Settings

© 2025 Google. All rights reserved.