Change alert priority instead of case priority

This document outlines the best practice for managing priority within security cases. As such, we highly recommend setting and changing priority at the alert level instead of directly changing the case priority. This practice leverages the system's priority inheritance model to prevent severe issues from being misclassified.

Risk of direct case priority changes

If you change the case priority directly, each incoming alert and its attached playbook logic can override the established case severity. For example, if a Critical alert is grouped with a subsequent Low alert, the case priority may drop to Low, causing important issues to go undetected.

Alert-level priority benefits

When you change the alert priority, the case automatically inherits the highest priority of all grouped alerts. This inheritance makes sure that a subsequent alert with a lower priority doesn't override a critical severity previously assigned by another alert.

Change the priority of an alert

There are two ways you can change the priority of the alert:

• Action-based: Use the Change Alert Priority action, configured either within a playbook or run as a manual action.
• Direct modification: Change the priority through the alert interface:
1. On the Cases page, click more_vertAlert Options and select Change Priority.

2. On the Change Alert Priority dialog, select the required priority and click Save.