Re: Is there a way to control the number of simult...

krunalm · 08-27-2023 04:40 AM

With current features, is there a way we can control number of simultaneous playbook runs per environment? For example, we're facing issues where multiple playbooks run if multiple cases are ingested for a single environment and that skews our playbook steps that look for duplicates. So I was wondering if we can set something up so that per environment only one case/playbook runs at a time and others wait in some sort of a queue?

pigram86

is it the same playbook? If not, have you tried the Delay Playbook from the Tools Power Ups? It really depends on how many alerts are in the case if all are the same. You could to do a Triage playbook that assigns to all cases that has your duplicate actions. but then it would a manual process to assign the appropriate playbook or at the end of the use the attach playbook option. It really depends on how everything is setup

krunalm

Our alert:case ratio is in most cases is 1:1. Case ingested from source tool, gets an appropriate playbook based on trigger and that runs from start to finish automatically. Just having difficult on giving that delay function since if they're waiting in queue, they'd still be running around the same time.

Andrew_Cook

Out of curiosity, if the alerts are duplicates why aren't they aggregating into a single case? Are you extracting entities that should be matching across alerts? I'd also look at ways you may be able to deduplicate prior to ingestion, but that's probably harder.

krunalm

They aren't necessarily duplicates but share certain common entities that could compile them into a single escalation. Our playbooks look for the commonality and decide whether or not they get escalated commonly.

New SecOps Webinar May 14th! Learn about Gemini's generative AI within Google SecOps

Is there a way to control the number of simultaneous playbook runs per environment?