I am trying to cut some time off on closing false positives, by creating a workflow that can automatically repeat the proccess of closure. But i need to be able to analyse each case and allow or not the procedure, for that i use a human decision step.
But there is no information regarding the specifics of the alert the investigation is based on and i haven’t found anyway to get the evidence from said alert.
I’ve tried creating a custom alert workflow, but the problem is basically the same but in reverse, there is no way to tie back to the investigation that was created by the original alert.
The Evidence section in IDR is currently not handled via the API. You can add a log search step that will search the logs for a particular alert and import the results of the log search for review before making a decision.
Also, as Brandon said I used a global artifact to store key details about an alert and the decision made on the alert which the workflow could review and make a similar decision automatically on any it saw that matched the same criteria.