Allow playbooks for cases as well

Allow playbooks for cases as well

MarcelMarcel Siemplify Gold Member
edited March 2021 in Suggest New Ideas

There are some actions that only need to be done once for a case. For example we use a webhook to alert on new cases, but currently we get an alert for every event because we can't assign a playbook to a case. With this feature we could get an alert only once per case.

We also try to implement processes such as opening a case for the IT department. For a case we only need to open one ticket for them, not one for every alert.

This would make the analysts life easier because the system should automate as much of clerical work as possible.

13
13 votes

Scheduled in Roadmap · Last Updated

Comments

  • Szymon KozickiSzymon Kozicki Siemplify Champion

    Vouch for that x100. Our playbooks which involve email sending can be nasty for the end users if the case for any reason has more than 2 of the same alerts.

  • Cyrus RobinsonCyrus Robinson Siemplify Champion

    This would be a HUGE improvement. We currently have a manual instruction for analysts to ensure that all unique alerts are triaged and to move complete unrelated alerts to their own case. As an example for how this would be helpful:

    -We have 4 alerts for quarantined files grouped into the same case, and all 4 are false positives.

    -We would like to add all 4 SHA256 to a Safelist Custom List. Currently, that would require working through the playbooks for all 4 alerts, but if we could have a "case" playbook, we could add the SHA256 from all 4 alerts by marking the files as false positives in a case playbook.

  • FitzyFitzy Siemplify Gold Member

    This would be a really useful capability. Also the ability to have the playbook look over all Alert data and the Events in each Alert would be great. Currently you have to pull the case data to get all the Events from every Alert which isn't Ideal.

  • JoshShomoJoshShomo Siemplify Champion

    Yeah I have a couple of actions that I've written to be used in playbooks that check if they're running on the first alert and exist otherwise.

    It would be really nice to be able to configure a playbook to be case-centric or alert-centric, or even be able to select whether an an action in the playbook runs on the whole case or on each alert.

Sign In or Register to comment.