I’m trying to implement a workflow in Google SecOps SOAR where an analyst can manually select a specific IP address entity within a case and run a playbook that performs a mitigation action (e.g., block that IP).
The key requirement is that the playbook should only act on the selected entity, not all IP entities in the case.
Is there a way to trigger a full playbook execution scoped to a manually selected entity (similar to how actions can target specific entities), rather than running at the case level?
If this isn’t directly supported, what are the recommended workarounds (e.g., Entity Selection, loops, custom lists, or manual input prompts)?
For context, I’ve already explored:
- Entity Selection in playbooks
- Running actions with selected entities
- Quick/Manual actions
But I haven’t found a way to initiate a full playbook execution from a manually selected entity.
