Skip to main content

Create Alert

Create a new alert and add it to a Case by filling in the following parameters:
ParameterDescription
NameThe name of the Alert
VendorThe Vendor associated with the alert
EventThe Alert Event
SeverityThis is the severity rank of your Case. You can map severity values from incoming alert payloads to Blink’s system severity levels (e.g., ‘10’ → ‘Low’). Use the mapping settings in Advanced Settings.
Link CasedThe Name and ID of the Case you want to add to this Alert to
DescriptionA brief explanation explaining the Alert
Custom Fields (JSON Format)Add a Custom Field in JSON format. Please note that this applies only if you have manually added a custom record column to the subject table.
Advanced- Dedup TableThe selected table to evaluate the duplicated condition (Dedup Condition) against.
Advanced- Dedup ConditionThe duplicate condition to check whether to insert the record or not. When the condition is met, the record will not be inserted.
Advanced- Linked ObservablesThe Name and ID of the Observable you want to link to this Alert
Advanced- Linked AlertsThe Name and ID of the Alert you want to link to this Alert.
Advanced- Linked AttachmentsThe Name and ID of the Attachment you want to link to this Alert.
Advanced- Linked TasksThe Name and ID of the Tasks you want to link to this Alert.
Advanced- Default SeverityAssigned severity rank used when no specific severity has been set. If a severity value is is null or the value provided but does not match any mapping or recognized Blink severity levels, the default severity will be used instead.
Advanced- Low Severity MappingA comma-separated list of vendor-specific severity values that map to Blink’s Case Management’s Low severity level.
Advanced- Medium Severity MappingA comma-separated list of vendor-specific severity values that map to Blink’s Case Management’s Medium severity level.
Advanced- High Severity MappingA comma-separated list of vendor-specific severity values that map to Blink’s Case Management’s High severity level.
Advanced- Critical Severity MappingA comma-separated list of vendor-specific severity values that map to Blink’s Case Management’s Critical severity level.

Mapping Alert Severity to Blink’s System

Different security tools often report severity using their own scales—numeric values, labels, or custom levels. To ensure consistent prioritization in Blink, you can map these varying severity values, in the advanced settings of the Create Alert action, to Blink’s standardized severity levels (Low=1, Medium=2, High=3, Critical=4). For Example: Example Payload: 
{
  "id": "ind:bc44a7a3e758465f857867dcf4ac8c17:565469335361356727",
  "name": "FalseExecutableExtension",
  "description": "An executable was run with a contradicting file extension",
  "cmdline": "./whoami.rtf",
  "filename": "whoami.rtf",
  "filepath": "/Users/wilder/whoami.rtf",
  "alleged_filetype": "rtf",
  "platform": "Mac",
  "os_version": "Monterey (12)",
  "hostname": "DT-BART-SIMPSON",
  "user_name": "sam.gamgee",
  "md5": "32ff28d4fdb4b244c355d7f8378fa2b1",
  "sha256": "8d3f68b16f0710f858d8c1d2c699260e6f43161a5510abb0e7ba567bd72c965b",
  "severity": 50,
  "tactic": "Defense Evasion",
  "technique": "Masquerading",
  "timestamp": "2024-07-24T15:25:00Z",
  "falcon_host_link": "https://falcon.us-2.crowdstrike.com/activity-v2/detections/..."
}
In the Severity Parameter: The incoming alert payload specifies a severity of 50.
In Advanced Settings: A severity value of 50 is mapped to Blink’s High severity level, which corresponds to a severity rank of 3 in the output.You can customize these mappings to ensure external alert severity levels align with your internal triage and prioritization standards.
Blink’s severity levels are ranked as:
  • Low = 1
  • Medium = 2
  • High = 3
  • Critical = 4

Delete Alert

Deleting an Alert from a Case by filling in the following parameters in the step.
ParameterDescription
Alert IDThe Alert’s ID

Update Alert

Updating an already existing Alert in a Case by filling in the following parameters in the step. This action overwrites all of the alert’s data.
If the “Alert Event Lock” setting is enabled in Case Management Settings, the “Update Alert” action will fail. To successfully run this action, you must first disable the setting.
ParameterDescription
AlertThe Alert’s ID
NameThe updated Name of the Alert
Alert TypeThe updated Alert type
VendorThe Vendor associated with the alert
SeverityThe severity rank of your Case. It can be: Low, Medium, High or Critical
EventThe Alert Event
DescriptionA brief explanation explaining the Alert
Custom Fields (JSON Format)Add a Custom Field in JSON format. Please note that this applies only if you have manually added a custom record column to the subject table.
I