Changing Alert Priority Instead of Case Priority
Google recommends changing the Alert Priority within a Case instead of changing the Case Priority. The reason for this is as follows: if you change the Case Priority instead of the Alert Priority, you may end up with different alerts grouped into a case, with each incoming alert and its attached playbook altering the Case Priority. So for example, if an Alert is ingested at 10:01 with a Playbook that defines the Case as Critical; and then another Alert is grouped into the same case at 10:05 with a Playbook that defines the Case as low priority, the entire Case would be classified as low priority, causing important issues to go undetected.
By changing the Alert Priority instead of the Case Priority, each case will inherit the highest priority of the grouped alerts. This way, going back to the example above, even if a later alert had a priority of low, this would not override the critical priority assigned to the case by the previous alert.
How can I change the priority of the alert?
There are two ways you can change the priority of the Alert:
- Using the Change Alert Priority Action – either in a Playbook or as a Manual Action.
- Change Priority through the Alert itself as in the procedure below:
- In the Cases screen, the Alert Options menu is located on the right side of the Alert tab.
- Click on the icon and select Change Priority from the drop-down list.
- In the Change Priority dialog box, select the required Priority and click Save.
You can still change the priority of the Case if required but Google does not recommend this as best practice.