- Access exclusive content
- Connect with peers
- Share your expertise
- Find support resources
Enhanced Security Measures in Place: To ensure a safer experience, we’ve implemented additional, temporary security measures for all users.
01-19-2023 12:59 AM
Guys,
I Have Phishing Playbook consists of two big parts:
a- L1 Phishing playbook.
b- L2 Phishing playbook.
The flow starts from L1 doing the needed automation and tasks like (Extracting IOCs, Headers, Doing Enrichment, making Splunk searches, .... etc.)
Then it will stop at the stopping point which ask the Analyst to categorize which type this alert should it be.
Then if L1 Categorized the alert as phishing, L2 will start with its tasks.
L2 is sub playbook inside L1 only.
The issues am taking about: is assigning owner from L1 to alert.
I did before assign L1 automatically by using the automation script (assign owner to incident randomly)
but it was getting any one from L1 to be the owner. and I tried it with other options like (assign current and online but none of them is accurate).
because I want to assign the Incident to the user who did the categorization in the stopping point.
I used (assign to me button) inside the script. but it gives me error, as it need to be run manually and there is another option which can make the L1 to assign the task to other one. so, any idea how can I pass this issue?
I was thinking if there is any idea to:
1- stop the categorization task, till L1 assign the incident to himself. but I don't know how to do it??
2-make any task and based on it take the owner and assign him to the owner field, also I don't know how to do it??
Any recommendations will help me a lot.
Thanks
01-22-2023 06:58 PM
Hi @oDarweesh2,
For step "Analyst to categorize" are you doing this with a Data Collection task? If so, the task can capture the user who completed the task the categorisation.
You can then use setIncident owner=${<DC Task Name>.Answers.name}
to assign the owner.
If the above is not possible. You can go via the API to grab warroom entries and check the owner for specific entries. This is more complicated and only recommended as a last resort.
01-22-2023 09:26 PM
For step "Analyst to categorize", its conditional task not Data collection Task.
Kindly need advice, when Iam running the script "AssignAnalystToIncident"
and I specify a specific User like Nadeema, I get all the Analysts with L2 Role as participant, although none of them was participated or added.
find the screenshot below.
01-23-2023 12:22 AM
Hi @oDarweesh2,
Running the AssignAnalystToIncident
command with the roles parameter will assign the ticket to all the users that belong to that specific role. Run the command with the username parameter only.
If you're using a conditional task approach
Playbook steps I assume you currently have (Steps 1-3)
1. Assign the incident to the analyst
2. Analyst chooses the radio button option and clicks "Mark Completed". (Cannot be in quiet mode for custom automation solution)
3. Playbook step to set the Incident Categorisations
4. Custom automation that uses XSOAR REST API to URI /investigation/<Incident ID
> (Check screenshot for more information) . In returned results find "Task Done" warroom entry for the conditional check in Step 2. Grab username who completed the task.
5. Assign the incident owner to the above username
Recommended Approach.
As you can see the above approach is complicate and requires a custom automation. I would recommend the below approach.
Configure a Data Collection task to be a "Ask by Task". This is done by de-selecting all the options in "Select communication channels".
Then create a field linked question.
When the task is called it should look like the below during the playbook run.
When the analyst selects an answer, the field is updated directly and the user who submitted the answer is also captured in the context.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!