Hey Community Members,
Can anyone guide me how to use custom list trigger in the playbook. I tried creating a playbook with trigger as a custom list but it seems it is not working as I anticipated. Below are the sequence of steps I performed:
1. Created a custom list with below details, using navigation Settings-> Environment->Custom Lists
Identifier | Category | Environment |
Brute Force Attack | UseCase | LG |
Access Failed Login | UseCase | LG |
Remote login failure | UseCase | LG |
2. Created a playbook with using navigation: Response->Playbook
From Trigger Section I selected "Custom List" . In Paramerters I selected contails () and in Choose Parameter I tried with multiple combinations: At first I provided "UseCase", then tried with "Category=Usecase", then with Categories=UseCase. But none worked for me.
The requirement here is playbook should get trigger if it finds any of the three Usecases mentioned in "Identifier" section of custom list.
Would really appreciate any help here.
I believe what you are looking for is:
Custom list trigger = "name of your custom list"
Did you create your custom list in an environment that is accessible via the environment where your playbook resides?
Hey @dnehoda
Thanks for the response. To answer your question: Yes the custom list is accessible to the playbook as they both are in the same environment.
Unfortunately, this (Custom list trigger = "name of your custom list" ) is still not working for me. As I'm not sure what to use in the name of the custom list.
The way I created the custom list is - I downloaded the template - filled the values - and renamed the template as "Usecase_name" and imported the template.
After your response, I tried changing the custom list trigger, but the playbook didn't trggered as anticipated. Can you please let me know where exactly I am doing wrong??
Thanks a lot for the help ๐
I will preface this with I have not played around with custom lists that much, but in the little bit of testing, I noticed the description saying "This will trigger the playbook on each alert containing an entity which belongs to a custom list."
I'm not sure if your usecase_name is an entity, in some ways it feels more like a tag and so I am wondering if there might be a better way to trigger this playbook to run rather than a list.
I kind of envision the list to be something good for if we ingest a user who is new hire or an ip that is a known bad, we have those things on a list and then when we see that entity playbook X runs in response to that entity.
I'm wondering if either a tag name or perhaps a custom trigger where you could even set the playbook to run based on the rule name wouldn't be a better way to kick this off?