In the SOAR V42 document center,
title:
Converting rules to playbooksexcerpt from description:
"There is no direct correlation in the playbook for any message destination invoked directly from the rule or workflow. Instead, you can create a function to provide the message destination."
So I created a playbook which has a function. The function simply specifies the message destination which are monitored by an action processor.
---
By executing the playbook, its trigger was propagated to the action processor but it failed with the following message:
2021-08-20 02:21:25,592 INFO [actions_component] Event: <action[] (id=60, workflow=playbook_e42302d5_c4cb_4f2e_ab8b_5998f0ec998a, user=
jpresadmin@example.com) 2021-08-20 02:21:22.435000> Channel: functions.action
2021-08-20 02:21:25,594 ERROR [action_message] FunctionResult must be a dictionary. 'NoneType' may cause the workflow to fail.
---
If I try it from message destination in rule, it succeeded.
2021-08-20 03:52:37,075 INFO [actions_component] Event: <名前解決[] (id=117, workflow=None, user=
jpresadmin@example.com) 2021-08-20 03:52:33.852000> Channel: actions.action
2021-08-20 03:52:37,076 INFO [nslookup] inc_id: 2142, ip_address: 9.68.70.91
So I feel we're unable to invoke action processors in a playbook designed from playbook designer. I wonder how action processors will be treated in the SOAR future environments.
------------------------------
Yohji Amano
------------------------------