Changing alert priority instead of case priority

Google recommends changing the alert priority within a case instead of changing the case priority. If you change the case priority instead of the alert priority, you may end up with different alerts grouped into a case, with each incoming alert and its attached playbook altering the case priority. For example, if an alert is ingested at 10:01 with a playbook that defines the case as critical; and then another alert is grouped into the same case at 10:05 with a playbook that defines the case as low priority, the entire case would be classified as low priority, causing important issues to go undetected.

By changing the alert priority instead of the case priority, each case inherits the highest priority of the grouped alerts. This way, going back to the previous example, even if a later alert had a priority of low, this wouldn't override the critical priority assigned to the case by the previous alert.

How can I change the priority of the alert?

There are two ways you can change the priority of the alert:

• Using the Change Alert Priority action – either in a playbook or as a manual action.
• Change the priority through the alert itself:
1. In the Cases page, click more_vertAlert Options and select Change Priority from the menu.
   

   

2. In the Change Alert Priority dialog, select the required priority and click Save.