Solved: Trigger SOAR playbook without alert trigger - Time...

SecOps

Use case is as follows;
Playbook to update a Google Chronicle reference list in the SIEM with data from an external DB to keep the SIEM reference list up to date. It should run once per day to track specific user/device exclusions for a playbook that blocks user access.

Issues:
We do not want to manually track the exclusions/duration for many users. It doesn't scale.
Currently we do not see a way to trigger an update/pull from our exclusion list on a time based frequency.

_K_O

If you aren't tied to the idea of playbooks, you can use the IDE to create a Job Scheduler job and interact directly with the APIs instead.

Alternatively, you can still use the job scheduler to create a case, have the playbook run on the specific case type, and auto-close once completed.

View solution in original post

_K_O

If you aren't tied to the idea of playbooks, you can use the IDE to create a Job Scheduler job and interact directly with the APIs instead.

Alternatively, you can still use the job scheduler to create a case, have the playbook run on the specific case type, and auto-close once completed.

SecOps

Good ideas. Using the IDE is an interesting thought as well.

For Clarity on how to achieve this with technical details:
For our use case we will be using the "Power Up" named "Schedule Connector" to schedule case creation with a unique alert name and alert type. This will trigger a case creation based on the time defined in the scheduled connector residing in our custom connectors. The case will then attach the playbook that we want to run on a defined schedule.

Trigger SOAR playbook without alert trigger - Time Based