Create a new alert and add it to a Case by filling in the following parameters:
Parameter
Description
Name
The name of the Alert
Vendor
The Vendor associated with the alert
Event
The Alert Event
Severity
This is the severity rank of your Case. You can map severity values from incoming alert payloads to Blink’s system severity levels (e.g., ‘10’ → ‘Low’). Use the mapping settings in Advanced Settings.
Link Cased
The Name and ID of the Case you want to add to this Alert to
Description
A brief explanation explaining the Alert
Custom Fields (JSON Format)
Add a Custom Field in JSON format. Please note that this applies only if you have manually added a custom record column to the subject table.
Advanced- Dedup Table
The selected table to evaluate the duplicated condition (Dedup Condition) against.
Advanced- Dedup Condition
The duplicate condition to check whether to insert the record or not. When the condition is met, the record will not be inserted.
Advanced- Linked Observables
The Name and ID of the Observable you want to link to this Alert
Advanced- Linked Alerts
The Name and ID of the Alert you want to link to this Alert.
Advanced- Linked Attachments
The Name and ID of the Attachment you want to link to this Alert.
Advanced- Linked Tasks
The Name and ID of the Tasks you want to link to this Alert.
Advanced- Default Severity
Assigned severity rank used when no specific severity has been set. If a severity value is is null or the value provided but does not match any mapping or recognized Blink severity levels, the default severity will be used instead.
Advanced- Low Severity Mapping
A comma-separated list of vendor-specific severity values that map to Blink’s Case Management’s Low severity level.
Advanced- Medium Severity Mapping
A comma-separated list of vendor-specific severity values that map to Blink’s Case Management’s Medium severity level.
Advanced- High Severity Mapping
A comma-separated list of vendor-specific severity values that map to Blink’s Case Management’s High severity level.
Advanced- Critical Severity Mapping
A comma-separated list of vendor-specific severity values that map to Blink’s Case Management’s Critical severity level.
Different security tools often report severity using their own scales—numeric values, labels, or custom levels. To ensure consistent prioritization in Blink, you can map these varying severity values, in the advanced settings of the Create Alert action, to Blink’s standardized severity levels (Low=1, Medium=2, High=3, Critical=4). For Example:
Example Payload:
{"id":"ind:bc44a7a3e758465f857867dcf4ac8c17:565469335361356727","name":"FalseExecutableExtension","description":"An executable was run with a contradicting file extension","cmdline":"./whoami.rtf","filename":"whoami.rtf","filepath":"/Users/wilder/whoami.rtf","alleged_filetype":"rtf","platform":"Mac","os_version":"Monterey (12)","hostname":"DT-BART-SIMPSON","user_name":"sam.gamgee","md5":"32ff28d4fdb4b244c355d7f8378fa2b1","sha256":"8d3f68b16f0710f858d8c1d2c699260e6f43161a5510abb0e7ba567bd72c965b","severity":50,"tactic":"Defense Evasion","technique":"Masquerading","timestamp":"2024-07-24T15:25:00Z","falcon_host_link":"https://falcon.us-2.crowdstrike.com/activity-v2/detections/..."}
In the Severity Parameter:
The incoming alert payload specifies a severity of 50.
In Advanced Settings:
A severity value of 50 is mapped to Blink’s High severity level, which corresponds to a severity rank of 3 in the output.You can customize these mappings to ensure external alert severity levels align with your internal triage and prioritization standards.
