There are some actions that only need to be done once for a case. For example we use a webhook to alert on new cases, but currently we get an alert for every event because we can't assign a playbook to a case. With this feature we could get an alert only once per case.

We also try to implement processes such as opening a case for the IT department. For a case we only need to open one ticket for them, not one for every alert.

This would make the analysts life easier because the system should automate as much of clerical work as possible.

    Vouch for that x100. Our playbooks which involve email sending can be nasty for the end users if the case for any reason has more than 2 of the same alerts.

    This would be a HUGE improvement. We currently have a manual instruction for analysts to ensure that all unique alerts are triaged and to move complete unrelated alerts to their own case. As an example for how this would be helpful:

    -We have 4 alerts for quarantined files grouped into the same case, and all 4 are false positives.

    -We would like to add all 4 SHA256 to a Safelist Custom List. Currently, that would require working through the playbooks for all 4 alerts, but if we could have a "case" playbook, we could add the SHA256 from all 4 alerts by marking the files as false positives in a case playbook.

    This would be a really useful capability. Also the ability to have the playbook look over all Alert data and the Events in each Alert would be great. Currently you have to pull the case data to get all the Events from every Alert which isn't Ideal.

    Yeah I have a couple of actions that I've written to be used in playbooks that check if they're running on the first alert and exist otherwise.

    It would be really nice to be able to configure a playbook to be case-centric or alert-centric, or even be able to select whether an an action in the playbook runs on the whole case or on each alert.

