+2Its possible to run a playbook only in alerts?
Im trying to make a playbook run for specific alerts but, in alert & iocs im not founded the playbook execution for specific alert.
the reason of this is the delay from alert and opening a case on SOAR. im get a big difference between start time from alert to a create a case (2h~)
+11Alerts need to be ingested into the SOAR via the Chronicle connector prior to playbook execution. Can you provide further details on the alerts that are being delayed - rule types, run freq, etc.? Please also check - https://docs.cloud.google.com/chronicle/docs/detection/detection-delays.
+5Hello! In general, playbooks can only be run on alerts. Since a case cannot exist without an alert, playbooks run by default on triggers on every alert (when created) that meets the requirements of trigger in playbook(first block).
If you experience an alert delay—for example, when an alert is aggregated into an existing case—you simply need to build a proper trigger within the playbook. This can be based on the alert tag, name, source, or other identifiers. Once a new alert meeting those requirements is ingested, the playbook will automatically launch on that case.
OR
you are talking about siem alerts that are not yet ingested as a case - if this is the issue you need to create your ingestion rules properly.
Let me know more about this issue so I can find proper answer!
Enter your E-mail address. We'll send you an e-mail with instructions to reset your password.
