GreyMatter

Overview

Integrate your Incident Register with GreyMatter. This integration automatically syncs GreyMatter incidents with real-time, asynchronous data flow.

• Source: Managed Detection and Response (MDR)
• Opened By: “Greymatter Integration”

Setup

The integration can be enabled directly from your Adversarial tenant via Settings > Integrations. The API Key Access needs to have read permissions for incidents.

Status Mapping

Once the GreyMatter AI reviews and accepts a new incident, a record is created in Adversarial with Status = “New”. Occurred Date and Detected Date are brought over from GreyMatter.

GreyMatter State	Adversarial Status	Notes
NEW	Not imported	Excluded — incidents may disappear due to deduplication
IN_PROGRESS	In Progress	Occurred Date and Detected Date carried over
PENDING_CUSTOMER	In Progress or Review	In Progress by default; Review if the incident was previously resolved and re-opened
RESOLVED	Review	Contained Date carried over if populated in GreyMatter
CLOSED	Closed

Severity Mapping

GreyMatter severity values do not influence the assigned severity value in Adversarial. Adversarial assigns severity one of two ways:

1. Deterministic SEV-5 — if the incident is closed in GreyMatter with a close code indicating it was benign, it is imported as SEV-5 with the close note used as the severity reasoning.

   GreyMatter Close Code	Adversarial Severity
   CUSTOMER_FALSE_POSITIVE	SEV-5
   CUSTOMER_SECURITY_CONTROL_TESTING	SEV-5
   FALSE_POSITIVE_CREATE_TUNING_TICKET	SEV-5
   FALSE_POSITIVE_NO_ESCALATION	SEV-5
   ANOMALOUS_SAFE_NO_ESCALATION	SEV-5

2. AI or manual scoring — for all other incidents, no severity is assigned on import. Users can AI Score or assign severity manually.

Note

AI auto-scoring skips incidents that already have a deterministically-assigned severity, preserving the close-code-based SEV-5 assignment and its reasoning. This also applies to automatic rescoring — close-code incidents stay at SEV-5 even when the description changes upstream.

Fields

GreyMatter Field	Adversarial Field	Notes
display_title	Title
(multiple fields)	Description	Assembled from incident details; updated if changed in GreyMatter
originator_created_at	Detected Date	Falls back to created_at
originator_created_at	Occurred Date
escalated_at	Responded Date
resolved_at	Contained Date	Set when the incident enters RESOLVED; remains populated through CLOSED
closeCode	Description	Resolution category; appended to the description on close
closeNote	Description	Analyst’s resolution notes; appended to the description on close
(static)	Source	Always “Managed Detection and Response (MDR)”