From 7fe94a2eae076a7f3d01246aa9135d3fb0982fda Mon Sep 17 00:00:00 2001 From: Lior Tamir <55202270+lior-tamir@users.noreply.github.com> Date: Sun, 22 May 2022 10:21:51 +0300 Subject: [PATCH] Update readme.md --- .../relateAlertsToIncident-basedOnIP/readme.md | 15 ++++++--------- 1 file changed, 6 insertions(+), 9 deletions(-) diff --git a/Playbooks/relateAlertsToIncident-basedOnIP/readme.md b/Playbooks/relateAlertsToIncident-basedOnIP/readme.md index d4ffe82476..74aa634ae3 100644 --- a/Playbooks/relateAlertsToIncident-basedOnIP/readme.md +++ b/Playbooks/relateAlertsToIncident-basedOnIP/readme.md @@ -1,19 +1,16 @@ # relateAlertsToIncident-basedOnIP-pp ## Summary - This playbook looks for other alerts with the same IP as the triggered incident. - When such an alert is found, it will add each one to the incident only if they aren't related already to another incident. - +This playbook looks for other alerts with the same IP as the triggered incident. When such an alert is found, it will add each one to the incident only if they aren't related already to another incident. ## Playbook steps explained When a new incident is created: 1.Get the first IP entity of the incident 2.Make a list of alerts with the IP fetched in the previous step.Please note we exclude all the alerts with the same IP already related to the triggered incident -3.Wait 3 minutes for newly created alerts to appear also in the Graph Store. Waiting is necessary in order to succeed in adding them to the triggered incident if needed -4.For each alert in the list: -1. Get the incident of the alert -2. If the last step fails (meaning the current alert is not related to another incident): add this alert to the incident\ +3.For each alert in the list: +3.1. Get the incident of the alert +3.2. If the last step fails (meaning the current alert is not related to another incident): add this alert to the incident\ -5.Add a comment to the incident specifying all the alerts added to it by listing their "SystemAlertId" field +4.Add a comment to the incident specifying all the alerts added to it by listing their "SystemAlertId" field ## Screenshots @@ -22,4 +19,4 @@ ![Incident Trigger](./images/IncidentTriggerDark.png) ![Comment notification](./images/CommentDark.png) ![Incident Trigger light](./images/IncidentTriggerLight.png) -![Comment light](./images/CommentLight.png) \ No newline at end of file +![Comment light](./images/CommentLight.png)