+9We occasionally get overflow cases but they get buried in the case queue and are pretty much ignored.
I was building a playbook to send out automated email notifications that would attach when a case tag includes “Overflow” but I just read that you cannot automatically attach playbooks to overflow alerts.
Does anyone have any methods to send out notifications if an overflow case gets created?
Best answer by cmorris
You can take the SOAR logs sent to GCP and create an alert based off of them to notify you. You could also look at ingesting those logs into SecOps where you could act on them via a rule and playbook.
+2I got into the same problem. Since playbooks can’t be automatically attached to overflow cases, I worked around it by creating a monitoring rule that watches for cases tagged with “Overflow” and then triggers an email notification workflow separately. This way, even if the case lands in the overflow queue, the notification still goes out immediately.
+9
+11
You can take the SOAR logs sent to GCP and create an alert based off of them to notify you. You could also look at ingesting those logs into SecOps where you could act on them via a rule and playbook.
Enter your E-mail address. We'll send you an e-mail with instructions to reset your password.
