Update alert fields - Administrator Guide - Cortex XSIAM - Cortex - Security Operations

Cortex XSIAM Documentation

Product
Cortex XSIAM
Creation date
2024-03-06
Last date published
2025-02-06
Category
Administrator Guide
Abstract

Use a playbook, script, or command to update incident fields.

You can update alert fields by running the setAlert and setAlertStatus commands in the CLI, in a script, or a playbook task:

  • setAlert: Sets values for specific alert fields. The supported fields are presented in the list of arguments.

    Example 52. Examples of the setAlert command in the CLI

    The following examples show how to run the setAlert command in the CLI. You can run CLI commands in the War Room. When you start typing the CLI provides the available options and if you select an enum field, the CLI provides the available values.

    • To change the alert severity to high, run

      !setAlert severity=high
    • To change the alert severity to high and star the alert, run

      !setAlert severity=high starred=true

  • setAlertStatus: Sets the status or resolution value for an alert. This command supports the status argument, which presents a list of status and resolution type values. The selected status is set in the custom_status field.

    If you specify a resolution status, the alert is closed and the resolution_status and closeReason fields are updated to the same value as the custom_status field. If you specify a New, Reopened, or Under Investigation status, the alert remains open and the resolution_status and closeReason fields are empty.

    Tip

    You can create custom alert statuses and resolution reasons, and use the setAlertStatus command to set these custom statuses for alerts.

    For example, when a user starts investigating an alert, the alert status is automatically changed from New to Under Investigation. In some cases, it is useful to create an interim status, such as Triage. After you create the custom status, the new status will be available for selection. To create a custom status, follow the instructions in Create custom incident statuses and resolution reasons.

    Example 53. Examples of using the setAlertStatus command in the CLI

    The following examples show how to run the setAlertStatus command in the CLI. You can run CLI commands in the War Room. When you start typing, the CLI provides the available options and if you select an enum field, the CLI provides the available values.

    • To change the alert status to Resolved - Known Issue, run

      !setAlertStatus status="Resolved - Known Issue"
    • To change the alert status to custom status Triage, run

      !setAlertStatus status=Triage

      Note

      You must create a custom status before you can select it.


    Example 54. Example of using the setAlertStatus command in a playbook

    The following example shows how the setAlertStatus command can be used in a playbook task. In this example, the task sets a custom alert status (Triage). The custom alert status was created before setting up the playbook.

    setAlertStatus_playbook_example.png