Create Case From Alert
Create a case from an existing alert.
Basic Parameters
| Parameter | Description |
|---|---|
| Alert ID | The ID of the alert. |
| Assignee | User to assign the case to. |
| Sharing Parameters | - |
| Status | - |
| Title | - |
Advanced Parameters
| Parameter | Description |
|---|---|
| Case Template | Name or id of the Case Template to use. |
| Custom Fields | - |
| Description | - |
| End Date | - |
| Flag | - |
| Observable Rule | - |
| PAP | Prioritized Asset Profile, the severity level that is used to indicate the importance of an asset. White: The asset is not critical. Green: The asset is important, but not critical. Amber: The asset is critical. Red: The asset is essential. |
| Pages | - |
| Severity | - |
| Start Date | - |
| Summary | - |
| TLP | Traffic Light Protocol, a set of designations used to ensure that sensitive information is shared with the appropriate audience. CLEAR: unlimited formerly. GREEN: community-wide. AMBER: limited distribution. AMBER+STRICT: restricts sharing to the organization only. RED: personal for named recipients only. |
| Tags | - |
| Task Rule | - |
| Tasks | Additional tasks to create. |
Example Output
{
"_createdAt": 1640000000000,
"_createdBy": "string",
"_id": "string",
"_type": "string",
"_updatedAt": 1640000000000,
"_updatedBy": "string",
"alertDate": 1640000000000,
"alertImportedDate": 1640000000000,
"alertInProgressDate": 1640000000000,
"alertNewDate": 1640000000000,
"assignee": "string",
"closedDate": 1640000000000,
"customFields": [
{
"_id": "string",
"name": "string",
"order": 0,
"type": "string",
"value": ""
}
],
"description": "string",
"endDate": 1640000000000,
"extraData": {},
"flag": false,
"handlingDuration": 0,
"impactStatus": "string",
"inProgressDate": 1640000000000,
"newDate": 1640000000000,
"number": 0,
"pap": 0,
"papLabel": "string",
"severity": 0,
"severityLabel": "string",
"stage": "The value of the stage depends on the status of the case. Can be one of 'New' 'InProgress' or 'Closed'",
"startDate": 1640000000000,
"status": "string",
"summary": "string",
"tags": [
"string"
],
"timeToAcknowledge": 0,
"timeToDetect": 0,
"timeToQualify": 0,
"timeToResolve": 0,
"timeToTriage": 0,
"title": "string",
"tlp": 0,
"tlpLabel": "string",
"userPermissions": [
"string"
]
}
Workflow Library Example
Create Case from Alert with Thehive and Send Results Via Email
Preview this Workflow on desktop