Curious how I can customise the Send_IDR_Alerts_to_Slack workflow to make only critical and high alerts be sent to slack?
Add a filter step that only continues if Investigation.priority is critical / high.
My current filter options are derived from alert, ex. alert_trigger.name
There is no current option for priority:
If I were to add a variable what should I add to dynamically pull the priority field from an alert?
You don’t need to make a new variable. InsightConnect makes the variables for you already. If you create a step after your trigger that is a decision step, name the decision step something like “Critical or not?”.
Name your two paths. Yes and No.
Select a default path. It doesn’t matter which path you choose. On the next page you will define the opposite.
If you choose No, then on the next page you define what Yes means to you.
Hit the blue plus icon in the bottom right of the input section. This allows you to pick variables. One of the variables will likely be named Alert_Trigger.alert.priority. Just type priority and it should pop right up.
Perfect, thank you!