Hi @GaurangPatel
1. You can create your own integration and write a code using IDE feature and then use this code as actions in a playbook:
https://cloud.google.com/chronicle/docs/soar/respond/ide/using-the-ide
2. Flow might be enough for this, but if you looking for something way better e.g for dictionary to check against, it would be better to create a custom action that will do this decision and then make a flow that will do a choice based on a result from action
https://cloud.google.com/chronicle/docs/soar/respond/working-with-playbooks/using-flows-in-playbooks
3. You can assign some "manual" action within a playbook to a user and then user will need to input for a playbook to continue:
https://cloud.google.com/chronicle/docs/soar/respond/working-with-playbooks/using-actions-in-playbooks#assign-actions
Thanks, @f3rz , for the quick reply.
Yes, creating a new action is possible. However, after creating the integration, I will hand it over to the SOC analysts, who will create playbooks based on their use cases. They won’t have knowledge of how to create new integrations.
For the second question: from the documentation you shared, it states that you can select the required parameter. However, note that the drop-down will only show the script results from actions that are part of this playbook.
Previously, I created an playbook with Splunk SOAR, which provides the functionality mentioned above, independent of the integration. I wanted to check if Google SecOps SOAR has any native support for similar features.
Reference:
1. Custom Code Execution:https://docs.splunk.com/Documentation/SOAR/current/Playbook/CodeBlock
2. Capture Inputs:https://docs.splunk.com/Documentation/SOAR/current/Playbook/PromptBlock
Thanks, @f3rz , for the quick reply.
Yes, creating a new action is possible. However, after creating the integration, I will hand it over to the SOC analysts, who will create playbooks based on their use cases. They won’t have knowledge of how to create new integrations.
For the second question: from the documentation you shared, it states that you can select the required parameter. However, note that the drop-down will only show the script results from actions that are part of this playbook.
Previously, I created an playbook with Splunk SOAR, which provides the functionality mentioned above, independent of the integration. I wanted to check if Google SecOps SOAR has any native support for similar features.
Reference:
1. Custom Code Execution:https://docs.splunk.com/Documentation/SOAR/current/Playbook/CodeBlock
2. Capture Inputs:https://docs.splunk.com/Documentation/SOAR/current/Playbook/PromptBlock
1. You may explore the PowerUps we have. Some of them may transfer results from X to Y without requiring custom development. But if there's nothing for your usecase, there's no other choice rather than either request it as a Feature Request or make a custom action.
2. In flow you can use script results (json/text), selected parts of script results if this is JSON and also data from: cases, alerts, events, entity, environment and other parts of SOAR
Adding some screenshots for a context:
---
1. Custom code execution is not possible with a playbook. It will require creating an integration and action and then being added to a playbook. So, it will be a Feature Request.
2. Capture inputs is possible with setting action to manually and assign a user to it, and then user should do inputs based on action you selected to let playbook continue.
Thanks, @f3rz.
I almost got all the answers I needed, except for question two. I’m familiar with extracting data from cases, alerts, events, entities, environments, and other parts of SOAR. However, my question is: let’s say I’m adding some Root Cause in Action 1’s input parameter. Now, I want to use the same Root Cause in another action as well.
While it seems possible to use the results from an earlier playbook action, the section in the screenshot you provided doesn’t seem to offer an option to use the input parameter from the first action directly in the second action. In other words, I want to reuse the same Root Cause in the input parameter of the second action.
In the attached screenshots, you can see that I have provided the Root Cause for the first action. However, when I try to use the same Root Cause for Action 2, there is no option to do so. Only the result of the previous action can be used.
Thanks, @f3rz.
I almost got all the answers I needed, except for question two. I’m familiar with extracting data from cases, alerts, events, entities, environments, and other parts of SOAR. However, my question is: let’s say I’m adding some Root Cause in Action 1’s input parameter. Now, I want to use the same Root Cause in another action as well.
While it seems possible to use the results from an earlier playbook action, the section in the screenshot you provided doesn’t seem to offer an option to use the input parameter from the first action directly in the second action. In other words, I want to reuse the same Root Cause in the input parameter of the second action.
In the attached screenshots, you can see that I have provided the Root Cause for the first action. However, when I try to use the same Root Cause for Action 2, there is no option to do so. Only the result of the previous action can be used.
@GaurangPatel, it depends on how you add it, but overall, you may try to use these three approaches:
1. Using Block inside your playbook with Input and Input can be used as a placeholder in the whole block
2. Use Buffer action from Tools powerup to specify either JSON or Script result (plain text) and re-use it as action result in multiple actions.
https://cloud.google.com/chronicle/docs/soar/marketplace/power-ups/tools#buffer
3. You may use multi-choice question from Flow with predefined answers
Let me check with Block and Buffer action.
Thanks again @f3rz, It was really helpful.
