Add a Step to Create Cases and Alerts

LogicHub provides a case management feature that enables a security team to collaborate, investigate, and escalate incidents with detailed information and logs. The case management feature is integrated with playbooks. This allows you to automate the creation of cases and alerts. And with the advanced features that LogicHub playbooks provide, the number of false positives can be kept low.

What You'll Learn

  • How to create a case from the playbook?
  • How to create an alert from the playbook?

How to Create a Case

  1. Hover over the step to create a case. Click + button.
  2. Search for create case in the step catalog and choose Case Management - Create Case.
  3. Choose a connection or create a new connection from the drop-down and click Next.
  4. Enter the following details in the create case form.
    • Connection: Choose the connection that you have created and click Next.
    • Parent Node: Select the node to pull data from.
    • Case Type Template (Required): Jinja2 template for the type of case to be created (default).
  5. Click Show Optional Fields to provide additional information for the case.
    • Case Title Template: Jinja2 template for case title. Example: This is {{case_title_column_name}}.
    • Case Description Template: Markdown template for case description (Blockquotes and HTML tags are not supported). Example: Reporter: {{reporter_column_name}}. Severity: {{score_column_name}}.
    • Case Reporter: Column name from parent table containing Reporter of the Case.
    • Case Assignee: Column name from parent table containing Assignee for the Case.
    • Case Priority: Column name from parent table containing Priority for the Case.
    • Other Case Fields Template: Jinja2 template for case custom fields. Input is expected invalid json-array. Example: [{"field-name1":{{column1}}, "field-name2": {{column2}}].
      • You can enter the following JSON syntax for linking alerts to a case:
        {"lh_linked_alerts":["{{alert_Id}}", "alert-84147474"]}
        where, lh_linked_alerts is the field ID which is multivalued type. You can either use the alert ID or the Jinja template. To know more, see how to view alerts in a case
  6. When you are satisfied with the information provided, click Run to add the create case step.

How to Create an Alert

  1. Click + on any step for which you want to create an alert.
  2. Search for ingest alert in the step catalog and choose Ingest Alert.
  3. Enter the details in the form and click Run to save the alert as a step. To know more, see Create Alerts from Playbook Steps.

After setting up the alert step, you can complete the playbook settings and set up a stream. When the playbook stream runs, the alert messages are generated and added to the Case Management > Alerts page. You can search for alerts on the page, filter the list, or display only the alerts of a selected type.

Related

What's Next

🔗   Introduction to Playbooks
🔗   Guide to Playbook Builder
🔗   Add a Step to Import Events
🔗   Add a Step to Transform Data
🔗   Add a Step to Take an Action in Integration
🔗   Add a Step to Ask User Input
📍   Add a Step to Create Cases and Alerts
🔗   Activate Playbook using Streams


© Devo Technology Inc. All Rights Reserved.