Skip to main content
Solved

Updating Alert Risk Score in SOAR using Custom Action

  • April 15, 2025
  • 3 replies
  • 99 views
jaymin
Forum|alt.badge.img+6

Hi SOAR Community,

I'm trying to update the Alert Risk Score value using a custom action based on specific logic. Although I couldn't find a direct method in the SOAR SDK, I was able to read the risk_score field value using alert.additional_properties. However, I'm unsure if it's possible to update the Risk Score value of an Alert in SOAR.

Can anyone provide guidance on how to update the risk_score field, or if there's a different approach I should take?

 
 
 
 
 
 
 

Best answer by ylandovskyy

Hey @jaymin ,

Unfortunately, at this point that specific property is not mutable post ingestion. So, that means it can be adjusted at the connector level, but after the alert is created it can't change.

    3 replies

    ylandovskyy
    Staff
    Forum|alt.badge.img+16
    • ylandovskyy
    • Staff
    • April 15, 2025

    Hey @jaymin,

    There are multiple ways to solve this use case. The properties that come directly in the Alert are not the most optimal way. Instead I would suggest to either use Custom Fields or Context Values. There are actions inside Siemplify integration that can be used for inspiration (Set Custom Fields/Set Scope Context Value).

    Additionally, there is an action in Tools powerup called "Set Alert Score", that score can be used for the "risk score" use case as well.

    Let me know, if this is useful.

      jaymin
      Forum|alt.badge.img+6
      • jayminBronze 5
      • Author
      • Bronze 5
      • April 16, 2025

      Hi @ylandovskyy ,

      Well, it looks like we've reached the end of the road! Unfortunately, it seems that once the `Alert.risk_score` value is set in the Detection Rules as part of the SIEM, it's locked in and can't be updated in SOAR.

      Using Set Context Values is a great way to save extra info about an alert, case, or globally, but sadly it won't help us update that Alert.risk_score value.

      And just to clarify, the Set Alert Score action is actually meant for Cases, not Alerts - so that's not the solution we're looking for either.

      Just to confirm, is this the correct understanding? Is there no way to update the `Alert.risk_score` value once it's set in the Detection Rule?

      Thanks so much for the suggestions, though! I appreciate the help and insight. If there's ever a way to update the `Alert.risk_score` value in the future, please do let me know - I'd love to revisit this and find a solution!

       

      ylandovskyy
      Staff
      Forum|alt.badge.img+16
      • ylandovskyy
      • Staff
      • Answer
      • April 16, 2025

      Hey @jaymin ,

      Unfortunately, at this point that specific property is not mutable post ingestion. So, that means it can be adjusted at the connector level, but after the alert is created it can't change.

        Terms & ConditionsCookie settingsAccessibility statement
        Privacy Policy Terms of Service Gen AI Policy Community Guidelines Cookie Settings

        © 2025 Google. All rights reserved.