Launching playbooks for objects specified by users
You can specify observables and assets for which a playbook must run. First, you have to create a playbook with the following settings:
- In the Scope list, select Alert or Incident.
- In the Operation mode list, select Manual.
- In the Algorithm section, when setting a response action, use jq expressions to specify the objects (observables or assets) for which you want the playbook to launch. These objects will be the input to the playbook when it is launched.
If you do not specify the objects in the playbook algorithm and only select them before launching the playbook, these objects will be ignored.
After the playbook is created, you can launch it for the selected objects.
To do this, you must have one of the following XDR roles: Main administrator, Junior analyst, Tier 1 analyst, Tier 2 analyst, or Tenant administrator.
To launch a playbook for the selected objects:
- In the main menu, go to the Monitoring & reporting section, and then in the Alerts or Incidents section, click the ID of the alert or incident from which you want to launch the playbook.
- In the details window that opens, click the Select playbook button.
The Select playbook window opens.
- Activate the Select target objects before launching the playbook option by selecting the check box, and then click the Launch button.
- In the Target objects window that opens, select the objects from the Observables and Assets tabs for which you want to launch the playbook, and then click the Apply and launch button.
The playbook is launched for the objects you selected.
You can view the result of the playbook from the History tab in the alert or incident details, from the playbook History tab, and from the Response history section.
For example, you write a script that is called during the executeCustomScript response action. When creating a playbook, in the Algorithm section, you write the executeCustomScript response action with the playbook input data. Then, you have to run the script for an observable with an IP type that you select when launching the playbook. The script uses the IP address that you selected as a parameter:
{
"dslSpecVersion": "1.0.0",
"version": "1",
"responseActionsSpecVersion": "1",
"executionFlow": [
{
"responseAction": {
"function": {
"type": "executeCustomScript",
"params": {
"commandLine": "./script.py",
"commandLineParameters": "${ \"-ip \" + ([.input.observables[] | select(.type == \"ip\")] | map(.value) | join(\",\")) }",
"workingDirectory": "/folder/with/script"
}
},
"onError": "stop"
}
},
{
"responseAction": {
"function": {
"type": "updateBases",
"params": {
"wait": false
},
"assets": "${ [.input.assets[] | select(.Type == \"host\") | .ID] }"
}
}
}
]
}
Several objects will be an input to the playbook, and the list of IP addresses separated with commas must be an input to the script:
{
"input": {
"observables": [
{
"type": "ip",
"value": "127.0.0.1"
},
{
"type": "ip",
"value": "127.0.0.2"
},
{
"type": "md5",
"value": "29f975b01f762f1a6d2fe1b33b8e3e6e"
}
],
"assets":[
{
"AttackerOrVictim": "unknown",
"ID": "c13a6983-0c40-4986-ab30-e85e49f98114",
"InternalID": "6d831b04-00c2-44f4-b9e3-f7a720643fb7",
"KSCServer": "E5DE6B73D962B18E849DC0BF5A2BA72D",
"Name": "VIM-W10-64-01",
"Type": "host"
}
]
}
After jq expressions perform calculations on the playbook operational data, the following information is passed as command line parameters:
-ip 127.0.0.1,127.0.0.2
For a playbook expecting input data, if you specified different types of objects when creating the playbook and when launching it, or if you did not activate the Select target objects before launching the playbook check box, the playbook will finish with one of the following results:
- An error will occur because the playbook did not receive input data.
- The action will not be performed because the playbook contains a condition or a loop that is based on the input data.
- The result will depend on the response of the product, or service, or script that performs the action.
