Trigger a playbook for new Cases

Question

Is it possible to trigger a playbook based on a new case being created? I’m working on building a case notification system that alerts a security analyst when a new case is created.

The intended workflow is:

Send an initial notification when a new case is created
After a delay, allow a triage phase so all related alerts can be grouped into the case
Send a follow-up “case summary” notification that includes all relevant case details to help the analyst determine whether the case is a true or false positive

The issue I’m running into is that when multiple alerts hit the SOAR system at the same time, multiple playbook executions occur, which results in duplicate notifications.

cmorris · Answer

Go to Content Hub > Playbooks & Blocks and search for ‘Duplicate alert check’. This block from @SoarAndy would allow you to build out different logic for the first alert in a case or first alert of a certain type versus subsequent alerts that are grouped into the case. This would allow you to send one notification versus a notification for each alert in the case.

You could also take a look at using the Find First Alert action from the Tools power up and build out a condition for notifications based on the response there.

Sign up

Login with SSO

Login to the community

Login with SSO

Scanning file for viruses.

This file cannot be downloaded