This website uses Cookies. By clicking Accept, you agree to the storing of cookies on your device to enhance your community and translation experience. Read our Privacy Policy.
Click Preferences to customize your cookie settings.
Accept
Reject
Preferences

XSOAR - Using a script to run playbook

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 

XSOAR - Using a script to run playbook

Go to solution
alan.chan
L1 Bithead

‎03-17-2024 01:05 AM

I want to be able to click on an Indicator (i.e. a domain) in the Incidents page, run a script to kick off an approval process, once approved, continue to block.

 

I've come to the conclusion that script execution in XSOAR is not synchronous; the script feature doesn't have the capability to wait for the user to confirm via War Room or anything else for that matter before execution the rest of the script. Interaction with the user happens through playbooks. If this is true (please correct me if I'm wrong), then the next logical approach is to use a script to execute a playbook, passing along any arguments. This is not possible.

 

Is there a way to achieve this?

0 Likes Likes
1 accepted solution

Accepted Solutions

Go to solution
gyldz
L4 Transporter

‎03-20-2024 01:04 AM

Yes, you need a playbook to achieve this. You can create a playbook for this purpose and run it by pressing Create Incident button from TIM page. You can tag indicators as blocked and filter them to run the playbook.

gyldz_0-1710921878304.png

 

View solution in original post

0 Likes Likes
3 REPLIES 3

Go to solution
gyldz
L4 Transporter

‎03-18-2024 01:30 AM

Hi @alan.chan ,

You can implement an approval process by using workarounds as below.

  • A button runs the approval process via script with a mandatory argument (such as a short text comment or drop-down list option. When they press the button, they must provide this before the automation runs.

A boolean field that can be put in the layout must be set to true before clicking the button. The wrapper script checks the field value, if not set to True, returns error. Otherwise, run the function and then reset the field back to False.

I hope one of them will help you to implement the logic.

0 Likes Likes

Go to solution
alan.chan
L1 Bithead
In response to gyldz

‎03-18-2024 07:34 AM

I want to send approval process to a separate technology, for instance, Slack. Can you run the script to ask for approval in Slack, wait for a response (can take a few hours), and then continue with script execution after request is approved? I don't think this is possible without going through playbooks. 

0 Likes Likes

Go to solution
gyldz
L4 Transporter

‎03-20-2024 01:04 AM

Yes, you need a playbook to achieve this. You can create a playbook for this purpose and run it by pressing Create Incident button from TIM page. You can tag indicators as blocked and filter them to run the playbook.

gyldz_0-1710921878304.png

 

0 Likes Likes
  • 1 accepted solution
  • 1866 Views
  • 3 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!

LEGAL NOTICES
RESOURCES
Khoros awards 2022
Copyright 2007 - 2024 - Palo Alto Networks