Handle playbook runs with Alert grouping

krunalm · 11-14-2023 02:34 PM

Hello,

I'm using alert grouping for Microsoft defender cases and so multiple alerts get grouped based on the Incident ID being the same for all. However, each one individually gets a playbook running and I'm not sure if there's a way to have all other playbooks pause while the first alerts runs through and have them run sequentially. I see an action "Wait for playbook to complete" but that seems like it'll only work if it's within the same alert and not across a single case.

Any help on this would be highly appreciated. Open to any ideas here!

Thank you,

Krunal M

Louis_Mesmin

Dear Krunal,

Maybe you can think of an alternative using "Find First Alert", "Set Context Value" and "Delay Playbook" actions to try to solve your problem ?

If it's the first alert in the case then you can continue the playbook else you can delay the playbook execution for, as an example, 5 minutes.
When the first playbook is finished, one of the last step of the playbook can be to set a context value in the context of a case so that in other delayed playbooks this context value can be checked and if not with the expected value (correct termination of previous playbook) to delay again for X minutes the playbook.

I believe this can be created as a block to be easily integrated in playbooks.
Also maybe you can develop an custom action to do this in one step and with better logic.

Kind regards,
Louis

krunalm

That's a great idea Louis - I'll definitely try and implement this logic and see what can be done. Although I'm surprised this is not just done out of the box by an action since "Alert Grouping" is such an important USP in Chronicle SOAR.

Thanks again,

Krunal M

Webinar May 29th: Log Ingestion: Bindplane + Google SecOps

Handle playbook runs with Alert grouping