What's the behavior of event field references when...

Chase_Hammons · 09-20-2023 01:23 AM

What's the behavior of event field references when configuring a custom trigger for a playbook? What happens if there are multiple events with conflicting values in the event field the trigger is using?

pigram86

That depends on the use case as I have had one alert have 101 events, so that would be difficult. as a MSSP, we configure most of our playbooks on [alert.alertname], [alert.environment] or [alert.deviceProduct].

Louis_Mesmin

Same for us we are using a lot the [Alert.Name] placeholder as a Custom Trigger.

banana

We do too and I had to re-build my webhook JSON to put a value in a field mapped at the alert level rather than the event since it doesn't seem to be able to reference event fields, but that's what I'm asking - what is the intended behavior of event field references in triggers? Nothing I've tried seems to work.

pigram86

I use event field mapping for mapping entities as well as triggers for flows within the playbooks. Fo example, the [Alert.productName] of MS 365 Defender, now contains 7 different products. So the Old MS Defender ATP can now come in as M365 Def as but the event.serviceSource can be Azure ATP, Ms defender for Endpoint, or the old Defender ATP. This is troublesome as the integration for MS 365 Defender doesn't have any of the actions for the ATP integrations, so you have to use the event.serviceSource in the flow and triple the ATP actions based on the way it works. But one caveat in this example, the M365Def [alert.ticketid] is not the same in the backend as the ATP [alert.ticketid] so I have to basically use both integrations and deal with duplicate alerts. TY MS.

banana

@pigram86 wrote:
I use event field mapping for mapping entities as well as triggers for flows within the playbooks

So when you say you use event fields as triggers for flows, do you mean in conditions within the playbook or triggers for the playbook? I've been able to use event field references in ingestion mapping and conditions, but not playbook triggers.

@pigram86 wrote:
I have to basically use both integrations and deal with duplicate alerts. TY MS.

That sounds fun 😀 We have some duplicate Mimecast alerts because of their limitations on getting notifications for some of their alerts so I feel the pain!

pigram86

@banana wrote:
o when you say you use event fields as triggers for flows, do you mean in conditions within the playbook or triggers for the playbook? I've been able to use event field references in ingestion mapping and conditions, but not playbook triggers.

Triggers and if the event data is in the json, I can use them in flows in the playbooks as well. This is mostly for LogRhythm with a custom parser that one of my analysts created.

@banana wrote:
That sounds fun 😀 We have some duplicate Mimecast alerts because of their limitations on getting notifications for some of their alerts so I feel the pain!
100% my team loves dealing with duplicates.

Webinar May 14th: Gemini's generative AI within Google SecOps
Webinar May 29th: Log Ingestion: Bindplane + Google SecOps

What's the behavior of event field references when configuring a playbook?

Webinar May 14th: Gemini's generative AI within Google SecOpsWebinar May 29th: Log Ingestion: Bindplane + Google SecOps

What's the behavior of event field references when configuring a playbook?

Webinar May 14th: Gemini's generative AI within Google SecOps
Webinar May 29th: Log Ingestion: Bindplane + Google SecOps