Google recommends that you change the alert priority within a case instead
of changing the case priority. If you change the case priority instead of the
alert priority, you may end up with different alerts grouped into a case, with
each incoming alert and its attached playbook altering the case priority. For
example, if an alert is ingested at 10:01 with a playbook that defines the
case as critical; and then another alert is grouped into the same case at
10:05 with a playbook that defines the case as low priority, the entire case
would be classified as low priority, causing important issues to go
undetected.
When you change the alert priority instead of the case priority, each case
inherits the highest priority of the grouped alerts. Therefore, as shown in
the previous example, a subsequent alert with a lower priority wouldn't
override the critical priority already assigned to the case by a prior alert.
How can I change the priority of the alert?
There are two ways you can change the priority of the alert:
Using the Change Alert Priority action – either in a playbook or
as a manual action.
Change the priority through the alert itself:
In the Cases page, click
more_vertAlert Options and select
Change Priority from the menu.
In the Change Alert Priority dialog, select the required priority
and click Save.
[[["Easy to understand","easyToUnderstand","thumb-up"],["Solved my problem","solvedMyProblem","thumb-up"],["Other","otherUp","thumb-up"]],[["Hard to understand","hardToUnderstand","thumb-down"],["Incorrect information or sample code","incorrectInformationOrSampleCode","thumb-down"],["Missing the information/samples I need","missingTheInformationSamplesINeed","thumb-down"],["Other","otherDown","thumb-down"]],["Last updated 2025-03-13 UTC."],[[["Google recommends changing alert priority instead of case priority in Google SecOps SOAR to prevent conflicts from different playbooks altering the case priority."],["Changing alert priority ensures that a case inherits the highest priority of its grouped alerts, preventing lower-priority alerts from overriding higher-priority ones."],["Alert priority can be changed through the \"Change Alert Priority\" action in a playbook or manually through the \"Alert Options\" menu in the Cases page."],["While case priority can still be manually changed, it is not the recommended best practice due to the potential for misclassification."]]],[]]
