close_alert
Related Concepts: Case Manipulation
This function closes the current alert. This is the same as manually closing the alert from the case overview. Function requires the reason for closure, a root cause and a comment, just like the close case alert.
Closing an alert in Siemplify closes the new case (with only one alert).
siemplify.close_alert(reason=reason, root_cause=root_cause, comment=comment)
Parameters
Param Name | Param Type | Possible Values | Comments | Mandatory Parameter |
---|---|---|---|---|
reason | string | One of three predefined strings available in the close popup (when done manually): “NotMalicious”, “Malicious” and “Maintenance” | When creating an action, there is a parameter type named “Case close reason” that can be used. The user will have to choose from the three possible reasons and won’t be able to input his own strings | Yes |
root_cause | string | A string taken from the “Case close root cause” table in the settings | Similar to the previous parameter, there is an action parameter type called “Close case root cause” which forces the user to choose from values available in the relevant table | Yes |
comment | string | Any string could be used here | Comment should describe the case, but is not restricted | Yes |
case_id | string | 12345 | Unique case identifier. | No |
alert_identifier | string | 12345 | Unique alert identifier. | No |
Return Type
NoneType
Example:
Sample Code
from SiemplifyAction import SiemplifyAction
siemplify = SiemplifyAction()
reason = "Maintenance"
root_cause = "Employee Error"
comment = "User accidentally activated a correlation before it was ready to be used and triggered this alert"
siemplify.close_alert(reason=reason, root_cause=root_cause, comment=comment)
Result Behavior
the current alert is moved to new case and subsequently closed with the alert.
Result Value
None