trigger a playbook on if a case has been marked Im...

Ben_Montour · 04-11-2022 07:37 AM

is it possible to trigger a playbook on if a case has been marked Important? I was looking at Tags and such but it seems that marking something as Important does something unique.

Andrew_Cook

Hi @Ben_Montour . I would run the Attach Playbook action after marking the case as important in the playbook. If you're marking the case as important manually, you probably have to attach the playbook manually as well. It may also be possible to build a job that runs every 10 seconds that attaches a playbook to any new important cases, but I'm not positive what that would look like.

Ben_Montour

I guess what I was trying to do was create an default playbook that can sit in the background called “escalate to human”, and when another playbook determines that a case needs a human touch, then it can mark the case as important, and then the Escalate to Human playbook springs into action. Maybe there’s a better way to do what I want to do

Ben_Montour

I guess I could just have it run on cases escalated to Tier 2/3 or something

Andrew_Cook

Hmm. There is a Lock Playbook action that you might be able to use to pause the "Escalate to Human" playbook until the other playbooks are finished. Once it's unlocked, you can have it check if the case was marked as important

Ben_Montour

that’s an idea. I have used the “Wait for all other playbooks to finish” action before

Andrew_Cook

You could also make a block to replace the Mark as Important action. The block would both mark as important and escalate.

Ben_Montour

I guess it still comes down to, how do I check if a case is marked as important? I see an action to mark as important, but not one to read that status

Ben_Montour

I guess it’s a misunderstanding on my part that if a trigger is set to something that it would run if a case/alert/event was ever updated to be that something. For example if a playbook trigger is, Assigned to usergroup @Tier2 then if I updated a case to be assigned to @Tier2 then that playbook would run. But that’s not the case, triggers only run on ingestion into Siemplify

Andrew_Cook

Exactly, only one playbook is assigned to the alert on ingestion. I would probably take whatever action you're expecting in the same playbook that marks the case as important. If you want that to be consistent, I would make a block called "Important and Escalate" that you can use across playbooks.

Andrew_Cook

If you want an action to check if a case is important, here's the code for an action you can call "Is Case Important" Duplicate the "Mark As Important" action in the IDE and replace it with this:
from SiemplifyUtils import output_handler
from SiemplifyAction import *

@output_handler
def main():
siemplify = SiemplifyAction()

isImportantStatus = siemplify.case.is_important
if (isImportantStatus):
output_message = 'The case is important. Result = "true"'
result = "true"
else:
output_message = 'The case is not important. Result = "false"'
result = "false"

siemplify.end(output_message, result)

if __name__ == '__main__':
main()

Ben_Montour

ok thank you! I’ll see if I can do it without a custom action first, always like to keep it as simple as I can for future analysts to understand

Marek_Kreul

I also suggested an "event bus" in Siemplify that would allow to trigger something when something else happens. This would be kind of an "active" trigger, while the current version with jobs is rather "passive", not directly triggered by the event but only finding such events when looking through cases with certain filter.