Rename a case within a Playbook?

  • 23 September 2022
  • 6 replies

Userlevel 2

Hi folks,


Another cases and playbooks question - is there a way to update the name of an existing case item from within a Playbook?


By default, we are generating cases with just the incident ID for identification, but we’d ideally like to be able to update the name of the case once some additional playbooks have run.

We already have a way to get the case ID etc, it’s just the renaming part we’re stuck on.


Is this possible?


Best answer by Sagar Bhandari 16 November 2022, 09:45

View original

6 replies

@Prabesh Bhatta maybe you can assist? :) 

Userlevel 2

Hi folks,


Just wondering if there was any update on this? Or should I log a support ticket?




Hello Ash,

If i understood you correctly, you want to have an identifier for each case that has been created in the cases section.

First let me state that the case name can be generated statically or dynamically.

For example

 If you leave the Case Id field empty, then the soar itself generates the case name based on automation name and incident_id( if playbook is triggered via incident). Also if you put a static string inside the case id then all the incident of that particular case id will be reported under that name.( no new cases will be created, only new incidents will be appended to the existing case).

You can see the dynamic naming convention on the Case Name Template.

If you want unique case name for each incidents then you can use the following inside Case name template
Case Name Template : ${internal.automationName}_${Name}_${incident_id}

which will create a new case with the name(pattern) as mentioned in the previous line.

If i misunderstood you please correct me.




Userlevel 2

Hi Sagar,


Not quite what I was looking for - I’m looking more for a way to have a case do what you’ve mentioned above, but then have the title of the case be updated to add additional information after a Playbook has run.


For example, let’s say I’m dealing with a compromised user - I want to have the playbook run, create the case dynamically and then add the user (say, bob.smith) to the actual title of the case.

So instead of ‘Compromised User_d658f314-470e-406b-8890-f2da6ef89525’ I’d want ‘Compromised User - bob.smith’ if that makes sense? (Generate with default name first, then adjust it after Playbook actions somewhere).

Hello Ash,

Based on your example, what you can do is:

  1. Have a field for alert_name and user in the trigger block.( whose value would be provided(if it exists) from the metadata of the incident log.
  2.  Use those information of the trigger block to format a name for the case item to be created.
  3. Use the output field of format block(message) as the case id so that new case would be generated for each of the user that has been compromised.

    If the user who triggered the alert is Bob and John then the case items created would be Alert_name_Bob and Alert_name_John.

I think this would be the best approach to do this. 



Userlevel 2

Hi Sagar,


Thanks for that - it may be a tad complicated for some of our playbooks, but I’ll give that a go.