We have custom and UBA alerts that do not fall into the detection modification. We want to close alerts with specific investigation traits. Currently, the IDR rest api to list investigations and bulk close. Then, there’s trigger UBA which will some information. There’s plugin or decision tree that calls out closing the alert. I am not seeing a way to create secondary Trigger. Does this make sense?
Example: Custom alert triggers at 8 pm, 1 am, and 5 am., under specific user, and runs on one source asset. Instead of modify alert to allow this user to have multiple authentication errors, I check parameters and close alert.
Appreciate the help.