Alert Actions

​

Create Alert

Create a new alert and add it to a Case by filling in the following parameters:

​

Mapping Alert Severity to Blink’s System

Different security tools often report severity using their own scales—numeric values, labels, or custom levels. To ensure consistent prioritization in Blink, you can map these varying severity values, in the advanced settings of the Create Alert action, to Blink’s standardized severity levels (Low=1, Medium=2, High=3, Critical=4). For Example:

Example Payload:

{
  "id": "ind:bc44a7a3e758465f857867dcf4ac8c17:565469335361356727",
  "name": "FalseExecutableExtension",
  "description": "An executable was run with a contradicting file extension",
  "cmdline": "./whoami.rtf",
  "filename": "whoami.rtf",
  "filepath": "/Users/wilder/whoami.rtf",
  "alleged_filetype": "rtf",
  "platform": "Mac",
  "os_version": "Monterey (12)",
  "hostname": "DT-BART-SIMPSON",
  "user_name": "sam.gamgee",
  "md5": "32ff28d4fdb4b244c355d7f8378fa2b1",
  "sha256": "8d3f68b16f0710f858d8c1d2c699260e6f43161a5510abb0e7ba567bd72c965b",
  "severity": 50,
  "tactic": "Defense Evasion",
  "technique": "Masquerading",
  "timestamp": "2024-07-24T15:25:00Z",
  "falcon_host_link": "https://falcon.us-2.crowdstrike.com/activity-v2/detections/..."
}

In the Severity Parameter:

The incoming alert payload specifies a severity of 50.

In Advanced Settings:

A severity value of 50 is mapped to Blink’s High severity level, which corresponds to a severity rank of 3 in the output.You can customize these mappings to ensure external alert severity levels align with your internal triage and prioritization standards.

​

Delete Alert

Deleting an Alert from a Case by filling in the following parameters in the step.

​

Update Alert

Updating an already existing Alert in a Case by filling in the following parameters in the step. This action overwrites all of the alert’s data.