XSOAR - Using a script to run playbook

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

XSOAR - Using a script to run playbook

L1 Bithead

I want to be able to click on an Indicator (i.e. a domain) in the Incidents page, run a script to kick off an approval process, once approved, continue to block.

 

I've come to the conclusion that script execution in XSOAR is not synchronous; the script feature doesn't have the capability to wait for the user to confirm via War Room or anything else for that matter before execution the rest of the script. Interaction with the user happens through playbooks. If this is true (please correct me if I'm wrong), then the next logical approach is to use a script to execute a playbook, passing along any arguments. This is not possible.

 

Is there a way to achieve this?

1 accepted solution

Accepted Solutions

L4 Transporter

Yes, you need a playbook to achieve this. You can create a playbook for this purpose and run it by pressing Create Incident button from TIM page. You can tag indicators as blocked and filter them to run the playbook.

gyldz_0-1710921878304.png

 

View solution in original post

3 REPLIES 3

L4 Transporter

Hi @alan.chan ,

You can implement an approval process by using workarounds as below.

  • A button runs the approval process via script with a mandatory argument (such as a short text comment or drop-down list option. When they press the button, they must provide this before the automation runs.

A boolean field that can be put in the layout must be set to true before clicking the button. The wrapper script checks the field value, if not set to True, returns error. Otherwise, run the function and then reset the field back to False.

I hope one of them will help you to implement the logic.

I want to send approval process to a separate technology, for instance, Slack. Can you run the script to ask for approval in Slack, wait for a response (can take a few hours), and then continue with script execution after request is approved? I don't think this is possible without going through playbooks. 

L4 Transporter

Yes, you need a playbook to achieve this. You can create a playbook for this purpose and run it by pressing Create Incident button from TIM page. You can tag indicators as blocked and filter them to run the playbook.

gyldz_0-1710921878304.png

 

  • 1 accepted solution
  • 1892 Views
  • 3 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!