Skip to end of metadata
Go to start of metadata

You are viewing an old version of this page. View the current version.

Compare with Current View Page History

Version 1 Current »

Adds a step that logs that an Alert has been triaged.

One can add details about the alert and description about the steps taken in triaging the alert.

Operator Usage in Easy Mode

  1. Click + on the parent node.
  2. Search for Alert Triage operator in the search field and select the operator from the Results to open the operator form.
  3. In the Table drop-down, enter or select a table from which to source the data.
  4. In the Details field, enter the alert details.
  5. In the Description field, enter a description of the triaged alert.
  6. Click Run to view the result.
  7. Click Save to add the operator to the playbook.
  8. Click Cancel to discard the operator form.

Usage Details

LQL Command

alertTriage(table: TableReference, details: String, description: String)

Input
table: Table Name
details: Alert Details
description: Description of Triaged Alert

Output
Same as the input table. Additionally, logs triage-info and is available in System_Event_Type event-type.

Example

Input = alertTriageNode

LQL Command

alertTriage(alertTriageNode, "IP is malicious", "block this IP")

Output

IP Details Description
12.32.12.10 IP is malicious block this IP
12.32.12.1 IP is malicious block this IP

Note

IP column is present in parent table 'alertTriageNode'.

  • No labels