This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
Log in to ask a question
Log in to ask a question

SOAR Playbook Customization

Posted on 09-25-2024 11:02 PM
GaurangPatel
Bronze 3
Bronze 3
Reply posted on --/--/---- --:-- AM

Hi Guys,

I would like to know if the following customizations are possible in playbooks:

  1. Custom Code Execution: For example, is it possible to write Python code between two actions to convert the output of the first action into a different format for use in the second action?

  2. Use One Actionโ€™s Input Parameter Further in the Flow: My use case involves branching based on the input parameter from the first action. I am using the Siemplify "Change Stage" action with manual input, and further in the flow, I would like to make decisions based on the input selected for this action.  

  3. Capture Inputs: I need to gather some information from the user independently of any action, and then use that input in two or more actions.

Any feedback is appreciated.

@cmorris @f3rz 

Solved Solved
0 6 1,660
Topic Labels
Jump to Solution
0 Likes
2 ACCEPTED SOLUTIONS

Posted on --/--/---- --:-- AM
f3rz
Staff
In response to GaurangPatel
Reply posted on --/--/---- --:-- AM

1. You may explore the PowerUps we have. Some of them may transfer results from X to Y without requiring custom development. But if there's nothing for your usecase, there's no other choice rather than either request it as a Feature Request or make a custom action.

2. In flow you can use script results (json/text), selected parts of script results if this is JSON and also data from: cases, alerts, events, entity, environment and other parts of SOAR

f3rz_1-1727335339513.png

 

Adding some screenshots for a context:

f3rz_0-1727335256282.png

 

---
1. Custom code execution is not possible with a playbook. It will require creating an integration and action and then being added to a playbook. So, it will be a Feature Request.

2. Capture inputs is possible with setting action to manually and assign a user to it, and then user should do inputs based on action you selected to let playbook continue.

View solution in original post

Jump to Solution

Posted on --/--/---- --:-- AM
f3rz
Staff
In response to GaurangPatel
Reply posted on --/--/---- --:-- AM

@GaurangPatel, it depends on how you add it, but overall, you may try to use these three approaches:

1. Using Block inside your playbook with Input and Input can be used as a placeholder in the whole block
2. Use Buffer action from Tools powerup to specify either JSON or Script result (plain text) and re-use it as action result in multiple actions. 
https://cloud.google.com/chronicle/docs/soar/marketplace/power-ups/tools#buffer

3. You may use multi-choice question from Flow with predefined answers

View solution in original post

Jump to Solution
6 REPLIES 6

Posted on --/--/---- --:-- AM
f3rz
Staff
Reply posted on --/--/---- --:-- AM

Hi @GaurangPatel 

1. You can create your own integration and write a code using IDE feature and then use this code as actions in a playbook:
https://cloud.google.com/chronicle/docs/soar/respond/ide/using-the-ide

2. Flow might be enough for this, but if you looking for something way better e.g for dictionary to check against, it would be better to create a custom action that will do this decision and then make a flow that will do a choice based on a result from action
https://cloud.google.com/chronicle/docs/soar/respond/working-with-playbooks/using-flows-in-playbooks

3. You can assign some "manual" action within a playbook to a user and then user will need to input for a playbook to continue:
https://cloud.google.com/chronicle/docs/soar/respond/working-with-playbooks/using-actions-in-playboo...

Jump to Solution
0 Likes

Posted on --/--/---- --:-- AM
GaurangPatel
Bronze 3
Bronze 3
Reply posted on --/--/---- --:-- AM

Thanks, @f3rz , for the quick reply.

Yes, creating a new action is possible. However, after creating the integration, I will hand it over to the SOC analysts, who will create playbooks based on their use cases. They wonโ€™t have knowledge of how to create new integrations.

For the second question: from the documentation you shared, it states that you can select the required parameter. However, note that the drop-down will only show the script results from actions that are part of this playbook.

Previously, I created an playbook with Splunk SOAR, which provides the functionality mentioned above, independent of the integration. I wanted to check if Google SecOps SOAR has any native support for similar features.

Reference:

1. Custom Code Execution:https://docs.splunk.com/Documentation/SOAR/current/Playbook/CodeBlock

2. Capture Inputs:https://docs.splunk.com/Documentation/SOAR/current/Playbook/PromptBlock

Jump to Solution
0 Likes

Posted on --/--/---- --:-- AM
f3rz
Staff
In response to GaurangPatel
Reply posted on --/--/---- --:-- AM

1. You may explore the PowerUps we have. Some of them may transfer results from X to Y without requiring custom development. But if there's nothing for your usecase, there's no other choice rather than either request it as a Feature Request or make a custom action.

2. In flow you can use script results (json/text), selected parts of script results if this is JSON and also data from: cases, alerts, events, entity, environment and other parts of SOAR

f3rz_1-1727335339513.png

 

Adding some screenshots for a context:

f3rz_0-1727335256282.png

 

---
1. Custom code execution is not possible with a playbook. It will require creating an integration and action and then being added to a playbook. So, it will be a Feature Request.

2. Capture inputs is possible with setting action to manually and assign a user to it, and then user should do inputs based on action you selected to let playbook continue.

Jump to Solution

Posted on --/--/---- --:-- AM
GaurangPatel
Bronze 3
Bronze 3
Reply posted on --/--/---- --:-- AM

Thanks, @f3rz.

I almost got all the answers I needed, except for question two. Iโ€™m familiar with extracting data from cases, alerts, events, entities, environments, and other parts of SOAR. However, my question is: letโ€™s say Iโ€™m adding some Root Cause in Action 1โ€™s input parameter. Now, I want to use the same Root Cause in another action as well.

While it seems possible to use the results from an earlier playbook action, the section in the screenshot you provided doesnโ€™t seem to offer an option to use the input parameter from the first action directly in the second action. In other words, I want to reuse the same Root Cause in the input parameter of the second action.

In the attached screenshots, you can see that I have provided the Root Cause for the first action. However, when I try to use the same Root Cause for Action 2, there is no option to do so. Only the result of the previous action can be used.

Action 1Action 1Action 2Action 2

Jump to Solution
0 Likes

Posted on --/--/---- --:-- AM
f3rz
Staff
In response to GaurangPatel
Reply posted on --/--/---- --:-- AM

@GaurangPatel, it depends on how you add it, but overall, you may try to use these three approaches:

1. Using Block inside your playbook with Input and Input can be used as a placeholder in the whole block
2. Use Buffer action from Tools powerup to specify either JSON or Script result (plain text) and re-use it as action result in multiple actions. 
https://cloud.google.com/chronicle/docs/soar/marketplace/power-ups/tools#buffer

3. You may use multi-choice question from Flow with predefined answers

Jump to Solution

Posted on --/--/---- --:-- AM
GaurangPatel
Bronze 3
Bronze 3
Reply posted on --/--/---- --:-- AM

Let me check with Block and Buffer action.

Thanks again @f3rz, It was really helpful. 

Jump to Solution
0 Likes
Top Solution Authors
View all