{
"name": "MDE_Incident_Aggregator_v1.0",
"description": "Automatically groups MDE alerts into existing cases based on Incident ID.",
"category": "Inbound_Filters",
"steps": [
{
"id": "check_existing_incident",
"type": "Action",
"integration": "Google_SecOps_SIEM",
"action": "Search_Cases",
"parameters": {
"query": "external_id = [alert.incidentId]",
"status": "Open"
}
},
{
"id": "decision_gate",
"type": "Condition",
"logic": "if (steps.check_existing_incident.result_count > 0)",
"on_true": "add_evidence_to_case",
"on_false": "create_new_master_case"
},
{
"id": "add_evidence_to_case",
"type": "Action",
"action": "Update_Case",
"parameters": {
"case_id": "steps.check_existing_incident.first_result.id",
"comment": "Secondary Alert [alert.alertId] added to Incident [alert.incidentId]"
}
},
{
"id": "create_new_master_case",
"type": "Action",
"action": "Create_Case",
"parameters": {
"title": "MDE Incident: [alert.incidentId] - [alert.title]",
"external_id": "alert.incidentId",
"priority": "alert.severity"
}
}
]
}
Question
secops api
Login to the community
Login with SSO
Enter your E-mail address. We'll send you an e-mail with instructions to reset your password.