Change alert priority instead of case priority

Supported in:

Google recommends that you change the alert priority within a case instead of changing the case priority. If you change the case priority instead of the alert priority, you may end up with different alerts grouped into a case, with each incoming alert and its attached playbook altering the case priority. For example, if an alert is ingested at 10:01 with a playbook that defines the case as critical; and then another alert is grouped into the same case at 10:05 with a playbook that defines the case as low priority, the entire case would be classified as low priority, causing important issues to go undetected.

When you change the alert priority instead of the case priority, each case inherits the highest priority of the grouped alerts. Therefore, as shown in the previous example, a subsequent alert with a lower priority wouldn't override the critical priority already assigned to the case by a prior alert.

How can I change the priority of the alert?

There are two ways you can change the priority of the alert:

  • Using the Change Alert Priority action – either in a playbook or as a manual action.
  • Change the priority through the alert itself:
    1. In the Cases page, click Alert Options and select Change Priority from the menu.
      2. changealertpriority
    2. In the Change Alert Priority dialog, select the required priority and click Save.