Alert Options Menu in the Cases Screen
You can find the Alert Options menu by clicking on the icon located on the right side of the Alert tab in the Cases screen.
The following Alert Options are available:
-
Explore Alert:
(Will only display for users of both Chronicle SIEM and Chronicle SOAR) Click here to access the Alert Results screen in the Chronicle SOAR platform.
For more information on the Alerts Results screen, click here.
- Ingest alert as test case: Click on Ingest alert as test case in order to introduce a Test Case into the system. It will be marked as a Test Case to make it easier to locate. None of the information and metrics from ingested alerts are counted in the dashboards and reports metrics. Ingested alerts will not be grouped by design.
- Change Priority: We recommend changing the priority of the Alert rather than the priority of the Case. This will not affect the priority of the Case.
-
Move Alert: If you are assigned to a case and it has more
than one alert, you can choose either Move the Alert to new case or Move
Alert to existing case. If you choose Move Alert to existing case, select
the required case from the drop-down list. Then, click Move.
-
Manage Alert Detection Rule: (Will only display for
users of both Chronicle SIEM and Chronicle SOAR). If the Rule is a
predefined Chronicle rule, you will be redirected to the Rules Detection
screen in the Chronicle SIEM platform. For more information on the Rules
Detection screen, click
here.
If the Rule is a customer rule, you will be redirected to the Rule Editor screen in the Chronicle SIEM platform. For more information on the Rule Editor screen, click here. -
Close Alert: Closes the Alert within the case. Select from
the options in the Reason/Root Cause/Usefulness fields. (The Usefulness
field only appears for users of both Chronicle SIEM and Chronicle SOAR and
allows the rule analysts to get more precise information on alert rules from
the customer feedback). The closed alerts in a case will appear grayed out
with a Closed tag. Note that you can only close the alert if there are other
alerts in the case and it's assigned to you.
- Add Entity: You can manually add an existing entity or a new entity to an Alert.
To add New/Existing Entities:
- Click on icon and select Add Entity.
- In the Add entities to alert dialog box, select an entity from either Add Existing Entities or Add New Entity from the drop-down list.
- Enter an identifier, click on icon, and then click Apply.