Managing case stages via playbook for cases with multiple alerts

Question

Is there a good way to be able to manage case stages via playbooks where cases have multiple grouped alerts?

We're using case stages to calculate metrics such as MTTR.

If we have a case with a single alert, then we can make the alert playbook change the case stage to "Resolved" as part of closing the alert. But if a case has multiple alerts, we need that to only happen once the last alert on the case is resolved.

We can't see any supported way to achieve this, such as a way to add conditional logic to a playbook based on the status of all other alerts in the same case.

How are others handling this scenario?

f3rz · Accepted Answer

@effytw there's an action Find First Alert in Tools powerup that might be slightly edited for this need:

From:

siemplify.case.alerts.sort(key=lambda x: x.creation_time)

To:

siemplify.case.alerts.sort(key=lambda x: x.creation_time, reverse=True)

This will allow you to use Condition by comparing AlertIdentifier returned by an action next to a current, and if lastAlert = currentAlert, do stage transitioning.

The only problem that might be happening here is that a new alert may be ingested during the action run. So maybe leaving this step to the analyst as a manual action is better.

Sign up

Login with SSO

Login to the community

Login with SSO

Scanning file for viruses.

This file cannot be downloaded