Skip to content

Update/soc opt auto triage #773

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
scottbrumley merged 4 commits into from
Apr 10, 2026
Merged

Update/soc opt auto triage #773

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
4 commits
Select commit Hold shift + click to select a range
327445c
- Added pagination to the auto triage job
scottbrumley Apr 10, 2026
65dc11e
fix: remove manual_score gate from auto triage — close on score + age…
scottbrumley Apr 10, 2026
c177d18
fix: pass incident_id as integer in close API call
scottbrumley Apr 10, 2026
efb4603
revert: incident_id must be string not integer in update_incident API
scottbrumley Apr 10, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
104 changes: 53 additions & 51 deletions Packs/soc-optimization-unified/Playbooks/JOB_-_Triage_Alerts_V3.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -15,8 +15,8 @@ contentitemexportablefields:
vcShouldKeepItemLegacyProdMachine: false
name: JOB - Auto Triage V3
tags:
- SOC
- SOC_Framework_Unified
- SOC
- SOC_Framework_Unified
starttaskid: "0"
tasks:
"0":
Expand All @@ -33,7 +33,7 @@ tasks:
istaskmissingcomponenterrordismissed: false
nexttasks:
'#none#':
- "1"
- "1"
separatecontext: false
continueonerrortype: ""
view: |-
Expand All @@ -58,8 +58,10 @@ tasks:
id: 993570fa-2548-4e9c-af63-478189b6c22b
version: -1
name: Get Unstarred Open Cases
description: Queries get_incidents — starred=false, status new. Age window filtering
handled in SOCAutoTriageScoreFilter using Python time.time() ms comparison.
description: Queries get_incidents — starred=false, status new, sorted oldest-first.
Fetches up to 100 cases per run (API maximum). Age window and score filtering
handled in SOCAutoTriageScoreFilter. Run this JOB frequently (e.g., every 15m)
to drain backlogs exceeding 100 cases across successive executions.
script: '|||core-api-post'
type: regular
iscommand: true
Expand All @@ -68,10 +70,10 @@ tasks:
istaskmissingcomponenterrordismissed: false
nexttasks:
'#none#':
- "12"
- "12"
scriptarguments:
body:
simple: '{"request_data":{"filters":[{"field":"status","operator":"eq","value":"new"},{"field":"starred","operator":"eq","value":false}],"fields":["incident_id","aggregated_score","manual_score","creation_time","status","starred"],"sort":{"field":"creation_time","keyword":"asc"}}}'
simple: '{"request_data":{"filters":[{"field":"status","operator":"eq","value":"new"},{"field":"starred","operator":"eq","value":false}],"fields":["incident_id","aggregated_score","creation_time","status","starred"],"sort":{"field":"creation_time","keyword":"asc"},"search_from":0,"search_to":100}}'
extend-context:
simple: Found=.
uri:
Expand Down Expand Up @@ -109,20 +111,20 @@ tasks:
istaskmissingcomponenterrordismissed: false
nexttasks:
'#default#':
- "9"
- "9"
"yes":
- "8"
- "8"
separatecontext: false
conditions:
- label: "yes"
condition:
- - operator: isExists
left:
value:
simple: AutoTriage.filtered_incidents.incident_id
iscontext: true
right:
value: {}
- label: "yes"
condition:
- - operator: isExists
left:
value:
simple: AutoTriage.filtered_incidents.incident_id
iscontext: true
right:
value: {}
continueonerrortype: ""
view: |-
{
Expand Down Expand Up @@ -183,7 +185,7 @@ tasks:
istaskmissingcomponenterrordismissed: false
nexttasks:
'#none#':
- "9"
- "9"
scriptarguments:
incident_id:
simple: ${AutoTriage.filtered_incidents.incident_id}
Expand Down Expand Up @@ -230,7 +232,7 @@ tasks:
istaskmissingcomponenterrordismissed: false
nexttasks:
'#none#':
- "7"
- "7"
separatecontext: false
continueonerrortype: ""
view: |-
Expand Down Expand Up @@ -266,7 +268,7 @@ tasks:
istaskmissingcomponenterrordismissed: false
nexttasks:
'#none#':
- "5"
- "5"
scriptarguments:
incidents:
complex:
Expand All @@ -277,41 +279,41 @@ tasks:
root: lists
accessor: SOCOptimizationConfig_V3
transformers:
- operator: getField
args:
field:
value:
simple: Triage Incidents JOB
- operator: getField
args:
field:
value:
simple: fields
- operator: getField
args:
field:
value:
simple: TriageScoreThreshold
- operator: getField
args:
field:
value:
simple: Triage Incidents JOB
- operator: getField
args:
field:
value:
simple: fields
- operator: getField
args:
field:
value:
simple: TriageScoreThreshold
window_hours:
complex:
root: lists
accessor: SOCOptimizationConfig_V3
transformers:
- operator: getField
args:
field:
value:
simple: Triage Incidents JOB
- operator: getField
args:
field:
value:
simple: fields
- operator: getField
args:
field:
value:
simple: TriageWindowHours
- operator: getField
args:
field:
value:
simple: Triage Incidents JOB
- operator: getField
args:
field:
value:
simple: fields
- operator: getField
args:
field:
value:
simple: TriageWindowHours
separatecontext: false
continueonerror: true
continueonerrortype: ""
Expand Down
8 changes: 0 additions & 8 deletions Packs/soc-optimization-unified/Scripts/SOCAutoTriageScoreFilter/SOCAutoTriageScoreFilter.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -64,14 +64,6 @@ def main():
})
continue

# Skip if analyst has manually set a score
if manual_score is not None:
skipped.append({
'incident_id': incident_id,
'aggregated_score': aggregated_score,
'reason': 'manual_score set — analyst touched this case'
})
continue

# Skip if score is above threshold or missing
if aggregated_score is None or float(aggregated_score) > threshold:
Expand Down
Loading