Alert Options menu in the Cases page
In the Cases page, clickAlert Options located on the right side of the Alert tab.
The following Alert Options are available:
- Explore Alert: (Only displayed for users of Chronicle SecOps). For more information on the Alerts Results page, click Investigate Alerts.
- Ingest alert as test case: Click on Ingest alert as test case in order to introduce a Test Case into the system. It is marked as a Test Case to make it easier to locate. None of the information and metrics from ingested alerts are counted in the dashboards and reports metrics. Ingested alerts are not grouped by design.
- Change Priority: We recommend changing the priority of the alert rather than the priority of the case. This does not affect the priority of the case.
- Move Alert: If you are assigned to a case and it has more than one alert, you can choose either Move the Alert to new case or Move Alert to existing case. If you choose Move Alert to existing case, select the required case from the menu. Then, click Move.
- Manage Alert Detection Rule: (Only displayed for users of Chronicle SecOps). If the rule is a predefined Chronicle rule, you are redirected to the Rules Detection page. For more information on the Rules Detection page, click here. If the rule is a customer rule, you are redirected to the Rule Editor page. For more information on the Rule Editor page, click here.
- Close Alert: Closes the alert within the case. Select from the options in the Reason/Root Cause/Usefulness fields. (The Usefulness field only appears for users of Chronicle SecOps and allows the rule analysts to get more precise information on alert rules from the customer feedback). The closed alerts in a case appear grayed out with a Closed tag. You can only close the alert if there are other alerts in the case and it's assigned to you.
- Add Entity: You can manually add an existing entity or a new entity to an alert.
To add new/existing entities:
- Click Alert Options and select Add Entity.
- In the Add entities to alert dialog box, select an entity from either the Add existing entities menu or the Add new entity menu.
- Enter an identifier, click add Add, and then click Apply.