Skip to main content

Is there a good way to be able to manage case stages via playbooks where cases have multiple grouped alerts?

We're using case stages to calculate metrics such as MTTR. 

If we have a case with a single alert, then we can make the alert playbook change the case stage to "Resolved" as part of closing the alert. But if a case has multiple alerts, we need that to only happen once the last alert on the case is resolved.

We can't see any supported way to achieve this, such as a way to add conditional logic to a playbook based on the status of all other alerts in the same case.

How are others handling this scenario?

@effytw there's an action Find First Alert in Tools powerup that might be slightly edited for this need:


From:


siemplify.case.alerts.sort(key=lambda x: x.creation_time)

To:


siemplify.case.alerts.sort(key=lambda x: x.creation_time, reverse=True)

This will allow you to use Condition by comparing AlertIdentifier returned by an action next to a current, and if lastAlert = currentAlert, do stage transitioning. 


The only problem that might be happening here is that a new alert may be ingested during the action run. So maybe leaving this step to the analyst as a manual action is better. 

Reply


Terms & ConditionsCookie settings
Privacy Policy Terms of Service Gen AI Policy Community Guidelines Cookie Settings

© 2025 Google. All rights reserved.