This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
Log in to ask a question
Log in to ask a question

how to use custom list trigger in a playbook

Posted a month ago
dhirajtec
Bronze 1
Bronze 1
Reply posted on --/--/---- --:-- AM

Hey Community Members,

Can anyone guide me how to use custom list trigger in the playbook. I tried creating a playbook with trigger as a custom list but it seems it is not working as I anticipated. Below are the sequence of steps I performed:

1. Created a custom list with below details, using navigation Settings-> Environment->Custom Lists

Identifier Category Environment
Brute Force AttackUseCaseLG
Access Failed LoginUseCaseLG
Remote login failureUseCaseLG

2. Created a playbook with using navigation: Response->Playbook

From Trigger Section I selected "Custom List" . In Paramerters I selected contails () and in Choose Parameter I tried with multiple combinations: At first I provided "UseCase", then tried with "Category=Usecase", then with Categories=UseCase. But none worked for me. 

dhirajtec_2-1712759587369.png

 

dhirajtec_1-1712759511035.png

The requirement here is playbook should get trigger if it finds any of the three Usecases mentioned in "Identifier" section of custom list.

Would really appreciate any help here.

 

1 3 103
Topic Labels
3 REPLIES 3

Posted on --/--/---- --:-- AM
dnehoda
Staff
Reply posted on --/--/---- --:-- AM

I believe what you are looking for is: 

Custom list trigger = "name of your custom list" 

Did you create your custom list in an environment that is accessible via the environment where your playbook resides?

Screenshot 2024-04-11 at 3.35.05โ€ฏPM.png

Screenshot 2024-04-11 at 3.32.25โ€ฏPM.png

Posted on --/--/---- --:-- AM
dhirajkumar07
Bronze 1
Bronze 1
Reply posted on --/--/---- --:-- AM

Hey @dnehoda 

Thanks for the response. To answer your question: Yes the custom list is accessible to the playbook as they both are in the same environment. 

Unfortunately, this (Custom list trigger = "name of your custom list" ) is still not working for me. As I'm not sure what to use in the name of the custom list. 

The way I created the custom list is - I downloaded the template - filled the values - and renamed the template as "Usecase_name" and imported the template.

After your response, I tried changing the custom list trigger, but the playbook didn't trggered as anticipated. Can you please let me know where exactly I am doing wrong?? 

dhirajkumar07_0-1712922467245.png

Thanks a lot for the help ๐Ÿ™‚

Posted on --/--/---- --:-- AM
jstoner
Staff
Reply posted on --/--/---- --:-- AM

I will preface this with I have not played around with custom lists that much, but in the little bit of testing, I noticed the description saying "This will trigger the playbook on each alert containing an entity which belongs to a custom list."

I'm not sure if your usecase_name is an entity, in some ways it feels more like a tag and so I am wondering if there might be a better way to trigger this playbook to run rather than a list.

I kind of envision the list to be something good for if we ingest a user who is new hire or an ip that is a known bad, we have those things on a list and then when we see that entity playbook X runs in response to that entity.

I'm wondering if either a tag name or perhaps a custom trigger where you could even set the playbook to run based on the rule name wouldn't be a better way to kick this off?

Top Solution Authors
View all