This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
Log in to ask a question
Announcements
Webinar May 14th: Gemini's generative AI within Google SecOps
Webinar May 29th: Log Ingestion: Bindplane + Google SecOps
Log in to ask a question

Attaching/running multiple playbooks at ingestion

Posted on 12-25-2024 01:45 AM
Gal_Zelinger
Bronze 1
Bronze 1
Reply posted on --/--/---- --:-- AM

Hey everyone,

I have a use case in which I need to run multiple playbooks on the same ingested alert.

My first playbook is a general playbook for all ingested alerts with the trigger "all", I have it set to priority 1.

The second playbook is a alert specific playbook with the trigger "Alert Type" with the relevant alert type selected, I have it set to priority 2.

Gal_Zelinger_0-1735119544916.png

As I've read here on the forum it seems that the main recommended way to run multiple playbooks on the same ingested alert is using the playbook priority feature, but it seems not to be working for me - I've tried the same setup on 2 different instances of SecOps, while testing on both simulated ingested cases and real live detections from the environments. In all these tests and in all cases only 1 playbook runs and I can't seem to get two separate playbooks to run on the same alert at ingestion. 

Any insight on what could make this setup work properly would be appreciated,

Thanks.

Solved Solved
0 1 242
Topic Labels
Jump to Solution
0 Likes
1 ACCEPTED SOLUTION

Posted on --/--/---- --:-- AM
mikewilusz
Staff
Reply posted on --/--/---- --:-- AM

Only a single playbook can be assigned to an alert when it ingests to the SOAR. To achieve what you're looking for I'd recommend using playbook "blocks." Blocks are basically playbooks without triggers that allow you to embed them in other playbooks. So in your scenario you'd create a "catch all" block or such, and then put it at the beginning of each of your alert-specific playbooks. Details on this functionality is available here: https://cloud.google.com/chronicle/docs/soar/respond/working-with-playbooks/working-with-playbook-bl...

-mike

View solution in original post

Jump to Solution
0 Likes
1 REPLY 1

Posted on --/--/---- --:-- AM
mikewilusz
Staff
Reply posted on --/--/---- --:-- AM

Only a single playbook can be assigned to an alert when it ingests to the SOAR. To achieve what you're looking for I'd recommend using playbook "blocks." Blocks are basically playbooks without triggers that allow you to embed them in other playbooks. So in your scenario you'd create a "catch all" block or such, and then put it at the beginning of each of your alert-specific playbooks. Details on this functionality is available here: https://cloud.google.com/chronicle/docs/soar/respond/working-with-playbooks/working-with-playbook-bl...

-mike

Jump to Solution
0 Likes
Top Solution Authors
View all