can we trigger a playbook using context value or if context value updated ?
trigger playbook using context value
+16
Currently, there is no option to do it natively, but you can create a monitoring job that will scan your alerts/cases and its context values to see a chance. If something changed, then you can attach a playbook to that alert.
+5- Bronze 2
Currently, there is no option to do it natively, but you can create a monitoring job that will scan your alerts/cases and its context values to see a chance. If something changed, then you can attach a playbook to that alert.
how you can do that? I mean monitoring part is easy but how you can attach a playbook to alert via job? I’m looking for this solution for weeks - if you can share tips around it
+16
You can check an integration (Powerup) called “Tools”. It has an action “Attach Playbook to Alert”. You can check it’s code and use the same method for the job.
+5- Bronze 2
You can check an integration (Powerup) called “Tools”. It has an action “Attach Playbook to Alert”. You can check it’s code and use the same method for the job.
but did you use it? I’ve tried to use it but for mutiple times I’ve recived errors especialy regarding that siemplify jobs doesn’t allow to use SiemplifyAction. Also jobs has no option (at least I didn’t find valid one yet) to list alerts in case - and without alerts in case I cannot even test to attach playbook.
If you can guide me with some code example it would be great help!
+16
The flow will be to list updated cases, extract alerts out of them, check the context values/custom fields and do a decision with a playbook attachment. Actually, with new Chronicle API support for SOAR, there is even an option to list directly the alerts. You should check it out.
If you are using ServiceNow, you can check how the jobs are working there. They already work with cases and Content Values, although for a different use case, but still can be used for inspiration.
+5- Bronze 2
The flow will be to list updated cases, extract alerts out of them, check the context values/custom fields and do a decision with a playbook attachment. Actually, with new Chronicle API support for SOAR, there is even an option to list directly the alerts. You should check it out.
If you are using ServiceNow, you can check how the jobs are working there. They already work with cases and Content Values, although for a different use case, but still can be used for inspiration.
ok will try if jobs allows to use it :) thanks will let you know
+5- Bronze 2
The flow will be to list updated cases, extract alerts out of them, check the context values/custom fields and do a decision with a playbook attachment. Actually, with new Chronicle API support for SOAR, there is even an option to list directly the alerts. You should check it out.
If you are using ServiceNow, you can check how the jobs are working there. They already work with cases and Content Values, although for a different use case, but still can be used for inspiration.
I was able to handle it finally
I went with:
from SiemplifyJob import SiemplifyJob
from SiemplifyUtils import output_handler
from GoogleSOARManager import GoogleSOARManager
INTEGRATION_NAME = "CUSTOM_INTEGRATION"
SCRIPT_NAME = "AttachPlaybookToCaseJob"
@output_handler
def main():
siemplify = SiemplifyJob()
siemplify.script_name = SCRIPT_NAME
logger = siemplify.LOGGER
target_case_id = 8586
environment = "XXX"
playbook_to_attach = "XXXXXX"
try:
GSM = GoogleSOARManager(siemplify, environment)
case_details = GSM.fetch_case_details([target_case_id])
if target_case_id in case_details:
case_data = case_details[target_case_id]
logger.info(f"Found {target_case_id}.")
alerts = case_data.get('cyber_alerts', [])
if not alerts:
logger.error("No allerts")
siemplify.end_script()
return
target_alert = alerts[0]
alert_identifier = target_alert.get('identifier')
alert_group_id = target_alert.get('additional_properties', {}).get('AlertGroupIdentifier')
logger.info(f"Trying to attach '{playbook_to_attach}' to alert: {alert_identifier}")
try:
siemplify.attach_workflow_to_case(
playbook_to_attach,
cyber_case_id=target_case_id,
indicator_identifier=alert_identifier,
)
logger.info(f"Playbook {playbook_to_attach} attached.")
except Exception as wf_e:
logger.error(f"Error in siemplify.attach_workflow_to_case: {wf_e}")
siemplify.attach_workflow_to_case(playbook_to_attach, target_case_id, alert_identifier)
else:
logger.warning(f"Case {target_case_id} not found.")
except Exception as e:
logger.error(f"Error: {str(e)}")
raise
siemplify.end_script()
if __name__ == "__main__":
main()
Login to the community
Login with SSO
Enter your E-mail address. We'll send you an e-mail with instructions to reset your password.