topic Re: Multiple Question realted to assign owner from playbook in Cortex XSOAR Discussions

Multiple Question realted to assign owner from playbook

oDarweesh2 — Thu, 19 Jan 2023 08:59:24 GMT

Guys,

I Have Phishing Playbook consists of two big parts:

a- L1 Phishing playbook.

b- L2 Phishing playbook.

The flow starts from L1 doing the needed automation and tasks like (Extracting IOCs, Headers, Doing Enrichment, making Splunk searches, .... etc.)

Then it will stop at the stopping point which ask the Analyst to categorize which type this alert should it be.

Then if L1 Categorized the alert as phishing, L2 will start with its tasks.

L2 is sub playbook inside L1 only.

The issues am taking about: is assigning owner from L1 to alert.

I did before assign L1 automatically by using the automation script (assign owner to incident randomly)

but it was getting any one from L1 to be the owner. and I tried it with other options like (assign current and online but none of them is accurate).

because I want to assign the Incident to the user who did the categorization in the stopping point.

I used (assign to me button) inside the script. but it gives me error, as it need to be run manually and there is another option which can make the L1 to assign the task to other one. so, any idea how can I pass this issue?

I was thinking if there is any idea to:

1- stop the categorization task, till L1 assign the incident to himself. but I don't know how to do it??

2-make any task and based on it take the owner and assign him to the owner field, also I don't know how to do it??

Any recommendations will help me a lot.

Thanks

Re: Multiple Question realted to assign owner from playbook

jfernandes1 — Mon, 23 Jan 2023 02:58:38 GMT

Hi @oDarweesh2,

For step "Analyst to categorize" are you doing this with a Data Collection task? If so, the task can capture the user who completed the task the categorisation.

You can then use setIncident owner=${<DC Task Name>.Answers.name} to assign the owner.

If the above is not possible. You can go via the API to grab warroom entries and check the owner for specific entries. This is more complicated and only recommended as a last resort.

Re: Multiple Question realted to assign owner from playbook

oDarweesh2 — Mon, 23 Jan 2023 05:26:58 GMT

For step "Analyst to categorize", its conditional task not Data collection Task.

Kindly need advice, when Iam running the script "AssignAnalystToIncident"

and I specify a specific User like Nadeema, I get all the Analysts with L2 Role as participant, although none of them was participated or added.

find the screenshot below.

Re: Multiple Question realted to assign owner from playbook

jfernandes1 — Mon, 23 Jan 2023 08:22:44 GMT

Hi @oDarweesh2,

Running the AssignAnalystToIncident command with the roles parameter will assign the ticket to all the users that belong to that specific role. Run the command with the username parameter only.

If you're using a conditional task approach

Playbook steps I assume you currently have (Steps 1-3)

1. Assign the incident to the analyst

2. Analyst chooses the radio button option and clicks "Mark Completed". (Cannot be in quiet mode for custom automation solution)

3. Playbook step to set the Incident Categorisations

4. Custom automation that uses XSOAR REST API to URI /investigation/<Incident ID> (Check screenshot for more information) . In returned results find "Task Done" warroom entry for the conditional check in Step 2. Grab username who completed the task.

5. Assign the incident owner to the above username

Recommended Approach.

As you can see the above approach is complicate and requires a custom automation. I would recommend the below approach.

Configure a Data Collection task to be a "Ask by Task". This is done by de-selecting all the options in "Select communication channels".

Then create a field linked question.

When the task is called it should look like the below during the playbook run.

When the analyst selects an answer, the field is updated directly and the user who submitted the answer is also captured in the context.