Has anyone noticed variable calls being changed on...

spigram · 01-13-2025 08:26 AM

Since yesterday's patch window, all of our playbooks are no longer automatically applying via custom trigger. After some testing, only the 'Alert.' calls have changed. There appears to be no change with 'event.' calls.

[alert.alertname] has to be [Alert.alertname]

This requires a full rework of every playbook we have in production(total 458 playbooks, inactive and active). Some heads up on the change being implemented would've been great!

ajohnson

Reviewing my custom triggers the alert based ones were always [Alert.Name]

Are these for alerts generating from SIEM or another connector? could look into the mappings for fields so that it maps to the fields you use in the trigger

spigram

Thank you for your response!

Prior to the update yesterday, [alert.alertname] or [alert.name] worked. This affects all 'alert.' calls; [alert.environment] & [alert.description]. They have to be [Alert.Variable] to function correctly now. Funny the change didn't affect the event calls, [event.variable] still works normally.

It is for all alerts for all products we service. I do not believe we can change the system default 'Alert.' and 'event.'? Would this have to be done via custom ontology mapping?

ajohnson

Yea that is strange. I noticed it with case.property vs Case.property as well. There were authentication issues that were caused by this update so maybe they will revert back: https://www.googlecloudcommunity.com/gc/SecOps-SOAR/SecOps-Authentication-Issue-discovery-and-soluti...

I will look into the possibility of changing the capitalization of the alert/event/case for placeholders and let you know if i find anything. In the meantime a support case wouldn't be a terrible idea.

spigram

Thank you for the update! Oh, didn't know there were auth issues with the latest update. Haven't heard anything from our team about that.

Yes, I was able to create a case for this issue. Currently awaiting an update from the support team.

Louis_Mesmin

Totally agree with you on this and we managed to find the same workaround as you have quickly enough to reduce the huge impact this kind of change can have on our playbooks and so on our threat mitigiation.

We experienced the same issue that, for us, started on January 12 so definitly after our instance upgrade to 6.3.29.2, this kind of change really need to be written in the Release Notes...

Louis

spigram

Created a case for this, stated they would provide an update no later than Jan 16th. Currently awaiting a response.

In the meantime, I'll have to start changing all of our triggers, actions, and flows in all of our playbooks... may take me a week as we have so many

Louis_Mesmin

I can share that even if a roll-back the 6.3.29.2 version is happening you should'nt have any issue with already updated playbooks because in our situation we had both format and Alert.xxxx (with upper A) is with alert.xxx (lower a) in use and upper format was already working in previous versions.

Louis

spigram

Received a response from support stating it was resolved. There was a hotfix pushed to bring it to 6.3.30.2, this resolved the issue when calling Alert manually within the case but not the issues with the playbook. I updated a few playbooks to see if it resolved the issue but still didn't work.

I updated the Support Case, waiting on a response.

Has anyone noticed variable calls being changed on version 6.3.29.2?