Create Alert

Create a new alert and add it to a Case by filling in the following parameters:

Mapping Alert Severity to Blink’s System

Different security tools often report severity using their own scales—numeric values, labels, or custom levels. To ensure consistent prioritization in Blink, you can map these varying severity values, in the advanced settings of the Create Alert action, to Blink’s standardized severity levels (Low=1, Medium=2, High=3, Critical=4). For Example:

Example Payload:

{
  "id": "ind:bc44a7a3e758465f857867dcf4ac8c17:565469335361356727",
  "name": "FalseExecutableExtension",
  "description": "An executable was run with a contradicting file extension",
  "cmdline": "./whoami.rtf",
  "filename": "whoami.rtf",
  "filepath": "/Users/wilder/whoami.rtf",
  "alleged_filetype": "rtf",
  "platform": "Mac",
  "os_version": "Monterey (12)",
  "hostname": "DT-BART-SIMPSON",
  "user_name": "sam.gamgee",
  "md5": "32ff28d4fdb4b244c355d7f8378fa2b1",
  "sha256": "8d3f68b16f0710f858d8c1d2c699260e6f43161a5510abb0e7ba567bd72c965b",
  "severity": 50,
  "tactic": "Defense Evasion",
  "technique": "Masquerading",
  "timestamp": "2024-07-24T15:25:00Z",
  "falcon_host_link": "https://falcon.us-2.crowdstrike.com/activity-v2/detections/..."
}

In the Severity Parameter:

The incoming alert payload specifies a severity of 50.

In Advanced Settings:

A severity value of 50 is mapped to Blink’s High severity level, which corresponds to a severity rank of 3 in the output.You can customize these mappings to ensure external alert severity levels align with your internal triage and prioritization standards.

Blink’s severity levels are ranked as:

  • Low = 1
  • Medium = 2
  • High = 3
  • Critical = 4

Delete Alert

Deleting an Alert from a Case by filling in the following parameters in the step.

ParameterDescription
Alert IDThe Alert’s ID

Update Alert

Updating an already existing Alert in a Case by filling in the following parameters in the step. This action overwrites all of the alert’s data.

ParameterDescription
AlertThe Alert’s ID
NameThe updated Name of the Alert
Alert TypeThe updated Alert type
VendorThe Vendor associated with the alert
SeverityThe severity rank of your Case. It can be: Low, Medium, High or Critical
EventThe Alert Event
DescriptionA brief explanation explaining the Alert
Custom Fields (JSON Format)Add a Custom Field in JSON format. Please note that this applies only if you have manually added a custom record column to the subject table.