When closing an alert, don't remove it from the case.

When closing an alert, don't remove it from the case.

Daniel HarveyDaniel Harvey Siemplify Champion
edited May 2021 in Suggest New Ideas


Siemplify does a great job of correlating alerts into cases, and is crucial in some instances to gaining the "bigger picture" context and understand what happened during an incident or set of events. Its alert grouping functionality is also greatly valuable in its ability to reduce analyst workload; Rather than actioning several alerts grouping them into one case to be actioned as one.

The problem:

When you close an alert in a case of several, that alert disappears from the case it was grouped into, instead being moved into its own case.

There are several downsides to this approach, I'll do my best to outline our perspective on some of these.

(For these examples let's assume we have two cases:

Case A has several alerts grouped together.

When I close an alert in Case A, it gets moved to Case B and closed immediately.)

Loss of context. (This is the biggest issue we face)

  1. Regardless of the outcome, that alert was valuable context in the bigger picture of case A.
  2. After the analyst completed their triage and added all of their comments to case A, all of the case notes surrounding their investigation of the alert has now been lost, because case does not carry any of this information across when the alert is closed. Now, when we go back to review case we need to manually go back to case to find any of the triage information.

Siemplify ROI stats are somewhat impacted by itself.

  1. Because your closed alerts are being moved into a case of their own, your "Alert reduction percentage" dashboard widget looks like Siemplify is barely reducing your alert load when actually it's providing a lot more value.

A better solution (in our opinion):

It would be much more valuable if Siemplify "greyed out" alerts that have been closed so that they're out of the way, without removing them from the context of the original case.

I'm not sure what would be the best way to represent this, but the idea we've come up with would be some way of labelling the alerts in each case with their status, if they are closed.

This could be done by making them a different colour perhaps, or using an icon to identify when the alert has been closed. You could then have a filter option to show or hide closed alerts within a case.

In the situation where you actually want to move an alert to another case, there should be a separate option (maybe a checkbox in the "Close alert" action to say yes, I want to move this alert to another case.)

Keen to hear others thoughts.

9 votes

Scheduled in Roadmap · Last Updated


  • Marek KreulMarek Kreul Siemplify Gold Member

    absolutely love this initiative - but I would also like to hear Siemplifys thoughts on why they decided to go with this approach.

    For v6, however, I hope Siemplify is going to re-think this behaviour and follow the approach outlined in your description.

  • Daniel HarveyDaniel Harvey Siemplify Champion

    Thanks @Marek Kreul, glad to hear you agree and I too would be interested to hear their feedback 🙂

  • Szymon KozickiSzymon Kozicki Siemplify Champion

    I agree with this 100%. Reviewing past cases can be really cumbersome if they got divided into several closed alerts at some point.

  • Viki KirjnerViki Kirjner Product Team

    Hey @Daniel Harvey, @Marek Kreul, @Szymon Kozicki. thanks for your feedbacks :)

    We also agree with this problem/need :)

    We will address it as part of version 6. Just as Daniel described - In the new behavior, the alert will be closed within the original case and will be greyed-out with some additional indications.

    Feel free to share more inputs or ask for additional clarification.

  • Marek KreulMarek Kreul Siemplify Gold Member

    Hi @Viki Kirjner , when you work on that, maybe you can also integrate re-working the Case-Merge behaviour. Currently a new case is created, but for us - and I guess it's the same for others - the Case ID is THE unique identifier, and it is part of links in outgoing emails, tickets in external ticketing / issue tracking systems etc. pointing to the URL of the original case. Or is this worth a separate "Community Idea" ?

Sign In or Register to comment.