This website uses Cookies. By clicking Accept, you agree to the storing of cookies on your device to enhance your community and translation experience. Read our Privacy Policy.
Click Preferences to customize your cookie settings.
Accept
Reject
Preferences

Enhanced Security Measures in Place:   To ensure a safer experience, we’ve implemented additional, temporary security measures for all users.

Is there a way to launch a playbook from a button in an incident

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

Is there a way to launch a playbook from a button in an incident

Go to solution
RonShuck22
L0 Member

‎05-28-2024 05:40 AM

I have a couple different use cases where I have several steps in a playbook that I would like to complete again after the playbook is complete. I basically have several steps in a playbook that I would like to have launched by a button. I am trying to avoid the lengthy process of converting the steps to a standalone script. Plus, it is much easier to test aspects of a playbook as opposed to script code.

 

In one of the use cases, I need user input so not sure if this is even possible in a script.

 

Use Case 1: I have steps in the playbook that run a query from our siem for activity for a suspect source IP. I would like to be able to run these steps again later to see if the amount of activity has changes since the incident was created.

0 Likes Likes
1 accepted solution

Accepted Solutions

Go to solution
jfernandes1
L5 Sessionator

‎05-28-2024 07:02 PM

Hi @RonShuck22, you can have a button that calls the "setPlaybook" command. You only need to pass the playbook name. This will switch the playbook in the workplan. I would also suggest using a display trigger to ensure that the current playbook is not running. 

Example below.

button_config.png

Control button display, but hovering over the button and then selecting the "eye" icon.

button_display.png

View solution in original post

(1)
2 REPLIES 2

Go to solution
jfernandes1
L5 Sessionator

‎05-28-2024 07:02 PM

Hi @RonShuck22, you can have a button that calls the "setPlaybook" command. You only need to pass the playbook name. This will switch the playbook in the workplan. I would also suggest using a display trigger to ensure that the current playbook is not running. 

Example below.

button_config.png

Control button display, but hovering over the button and then selecting the "eye" icon.

button_display.png

(1)

Go to solution
RonShuck22
L0 Member
In response to jfernandes1

‎05-29-2024 06:15 AM

That worked. Thanks.

0 Likes Likes
  • 1 accepted solution
  • 1339 Views
  • 2 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!

LEGAL NOTICES
RESOURCES
Khoros awards 2022
Copyright 2007 - 2024 - Palo Alto Networks