Cases not being created when rules fire

Question

I have a handful of rules that I've created with the intention of creating cases. I know that they're firing because I get email notifications. However, I'm not seeing cases generated, nor does alert counter incrementing in the Overview dashboard, or anywhere else for that matter.

My intention is to write a bullet proof procedure for creating a test alert. Has anybody out there already written one? I'm not sure if the query is where I'm going wrong, if I'm getting the alert configuration wrong or if I've stumbled upon a bug....or if there's something I've overlooked.

valon_kolica · Answer

PeterSchawacker:&nbsp;
@Ofer_Shezaf: Perhaps this maybe related to the previous topic of "Default Sentinel Overview dashboard widgets indicate no data. Where is the query for the map".
&nbsp;

ps-sentinelhackers · Answer

Valon_KolicaThis seems to be completely different. Maybe an example of an email notification where the alert is failing to create a case would work. I have hundreds of them. Here's one:

Here are the alert configs...

Valon_Kolicaand Ofer_Shezaf , I'm pretty sure user error is at issue here. (Just a hunch.) What am I doing wrong? I'd be grateful for your advice.

Peter

ps-sentinelhackers · Answer

Valon_KolicaThis seems to be completely different. Maybe an example of an email notification where the alert is failing to create a case would work. I have hundreds of them. Here's one:

Here are the alert configs...

Valon_Kolicaand Ofer_Shezaf , I'm pretty sure user error is at issue here. (Just a hunch.) What am I doing wrong? I'd be grateful for your advice.

Peter

Forum Discussion

Cases not being created when rules fire

3 Replies