- Access exclusive content
- Connect with peers
- Share your expertise
- Find support resources
08-21-2023 10:40 PM - edited 08-21-2023 10:40 PM
Hello all,
I have a playbook, the one from XSOAr Engineer you tube course actually, video #8, sub-playbooks. This runs flawlessly in the playbook page but when I run it from an incident it ends up trying to reset the password for every AD user even though I specify james.bond as the user. I am not sure of the logic. It doesn't seem to "call" the playbook from the incident, it's almost as though it's a "copy" and so has it's own settings and not those in the playbook? I'll add a screenshot to show what I mean. So I hard-code james.bond in the playbook, save the playbook, call the playbook from an incident and it proceeds to lookup ALL users in AD? What am I missing??!
Thanks,
Geoff
08-24-2023 07:21 AM
Hi @GWynn, Are you saying that its still passing more that 1 user to the ad-reset-password command? I think there might be some extra information in your context, I thought the DeleteContex might help. Keep at it and it should work. Maybe try re-creating the playbook 1 step at a time. Add print task to output context keys before passing them to the next task. Validate if the value in the print task matches your expectation for the next task input.
For manual input, you can leave a mandatory field blank. It will halt the playbook process and allow you to enter the value
In the screenshot below, delete the value of username field in the ad-set-new-password task(1). Run the playbook, wait for it task to fail (2). Open the failed task, add the new run-time value (3) and click "Run automation now"(4).
Another, more complex method is to implement a Data Collection task.
08-21-2023 11:20 PM
Hi @GWynn, Need to see what the actual command looks like. Can you send the full command with its passed parameters?
08-22-2023 02:33 AM
Hello @jfernandes1 As shown here it tries to reset the password for everyone, which fails! How do I specify just james?
08-22-2023 05:04 AM
Here is a screenshot of the sub-playbook with some skipped tasks, but when I run from the incident it STILL runs these??! What am I missing?! Yes I am saving when I make these changes.
08-22-2023 09:37 PM
Hi @GWynn, the task skip button only works during the playbook debug process. The task will be included when run in an incident.
Looking at the command input, it looks like your passing all the user names to the command. So it working as expected. There must be something wrong with the input.
Check the playbook task input, you can set it like below, where the value is hardcoded.
Or you can set it like below, where the value is grabbed from the context. Remember, the playbook debugger uses a different context than the incident so you might experience different behaviours. You can select an existing incident or choose a new mock incident.
When you use this method, if the previous command (AD Get User) returned more than 1 result or the playbook was run multiple times it could pass more usernames. You can check value by copying ${ActiveDirectory.Users.sAMAccountName}
to the Context Data search. Like below.
Added the !DeleteContext all=true
task to the start of your playbook is a good way to ensure that playbooks work as designed.
08-22-2023 11:18 PM
Hello @jfernandes1 thanks for this, I have managed to add in the !DeleteContext all=true
command at the start but I am manually inputting the user everywhere I can see! It still won't seem to work, which of course defies logic. I will have another look but it's a small playbook!
08-22-2023 11:27 PM
Error!
And results:
You can see here, in the sub-playbook it is all manually inputted apart from the expire password task. So... it still tried to reset all users passwords!!
08-23-2023 01:09 AM
Hi @GWynn Send me the playbook, I'll test and make the correction.
08-23-2023 04:56 AM
Hello @jfernandes1 here are the files. Thanks so much for doing this, sorry to be a pain, I am trying to learn this stuff! Cheers,
Geoff
08-23-2023 11:49 PM
Hello @jfernandes1 I think I have solved the problem. In the playbook when you override the input it must only be for de-bugging the playbook not for the actual incident! Same thing as the break-point. It only works in debugging mode.
08-23-2023 11:54 PM
HI @GWynn, Only a slight modification was required. Try and let me know if they work.
My use of the "FirstArrayElement" transformer as an example. Its not required for this case. I think you need to search AD for username to ensure only 1 result is returned since a email address might be associated to more than one account.
I tested the playbook with the debugger and in a fresh incident. Works in both cases.
08-24-2023 02:44 AM
Hello @jfernandes1 thanks for this, yes seems to work but then resets all my users passwords which is "ok" but not ideal! I will play and see if I can somehow prompt for the username to be used/reset. Thanks!! It gets complicated!
08-24-2023 07:21 AM
Hi @GWynn, Are you saying that its still passing more that 1 user to the ad-reset-password command? I think there might be some extra information in your context, I thought the DeleteContex might help. Keep at it and it should work. Maybe try re-creating the playbook 1 step at a time. Add print task to output context keys before passing them to the next task. Validate if the value in the print task matches your expectation for the next task input.
For manual input, you can leave a mandatory field blank. It will halt the playbook process and allow you to enter the value
In the screenshot below, delete the value of username field in the ad-set-new-password task(1). Run the playbook, wait for it task to fail (2). Open the failed task, add the new run-time value (3) and click "Run automation now"(4).
Another, more complex method is to implement a Data Collection task.
08-25-2023 01:08 AM
Hello @jfernandes1 thanks again for this, I'll keep tweaking it until I get it right! Thanks so much for your help. Cheers,
Geoff
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!