Hi Folks,
We have the following setup in SOAR :
1. Consolidation rules that consolidate all alerts in 8 hours period into 1 case
2. Enrichment rules to threat intelligence for the offender IP
3. Based on the result of the enrichment, present an Analyst Decision whether or not to block the address
Now since we consolidate all alerts into a single case, there are multiple actions in the analyst decision window (see attached).
How do we display the IPs that needs to be blocked in the analyst confirmation ? What parameter value is supported in the Description of Analyst Decision task?