Skip to main content

Hi Everyone,

I’m working on setting up SLA rules in Chronicle SOAR for cases, and I’ve run into some challenges that I’d like to get your input on. Here’s the scenario:

Requirements:

  1. First response SLA: Starts when a case is created and stops when the case is assigned or moves out of the Triage stage and period 1 hours.

  2. Update SLA: Starts after the case moves out of Triage and resets whenever there’s an update in the case wall and duration is specific to Severity. Stops when the case is closed.

    The challenge is chronicle doesn’t appear to have a direct SLA reset mechanism to restart timers whenever there’s a casewall update.

    • using the "Get Case Communications" Siemplify Action Module be a viable workaround to detect updates and restart SLA timers dynamically? Has anyone successfully implemented something similar?
      Timer Start for SLA:   The response SLA starts when the case is created, but the Update SLA needs to start when the case exits the Triage stage. How can I configure these separate trigger-based SLA conditions within Chronicle?

Hi,

At the moment (September 2025) I Think is not possible to create a dynamic SLA criteria (I hope in the near future), but I could suggest you to use a job that monitoring all  cases with a specific criteria (for example Stage X, or assigned, etc.) on the SOAR via the following API → (go to https://customer.siemplify-soar.com/swagger/index.html) /api/external/v1/search/CaseSearchEverything)

After that, you could stop the SLA (It’s a little tricky but I suggest you to copy the logic presents in the “Pause Alert SLA” action inside the Siemplify integration)

It’s only a suggestion, but I think that using this simple API and put some logic inside your job, you can do everything!

Reply


Terms & ConditionsCookie settings
Privacy Policy Terms of Service Gen AI Policy Community Guidelines Cookie Settings

© 2025 Google. All rights reserved.