IBM Security QRadar SOAR

I'm trying to build a playbook that sends emails to various adresses but i need the list of adresses be editable to the soc admin as well as make the possible list of adresses different based on the customer it belongs to. We have one SOAR for all customers.

I'm thinking of something like: if "customer a": form_input_multiselect = [ "customer_a@mail.com", "customer_a_securityperson@mail.com", "oursoc@mail.com" ]

elif "customer_b": form_input_multiselect = [ "customer_b@mail.com", "customer_b_securityperson@mail.com", "oursoc@mail.com ]

and so on. The soc admin should decide which of those adresses should get the mail. Sometimes it's not neccessary to contact the securityperson for example. But to minimise human error the admin should only be shown adresses of the corresponding customer.

Is it possible to make an input form this variable? I tried using subplaybooks, but it didn't work. Maybe i used them wrong.

Thanks in advance

------------------------------
Benjamin Walden
------------------------------

Hi Benjamin,

This capability is not yet supported. We have discussed this capability internally, but if you'd like to create an idea it would be helpful to gauge other customer interest.

Regards,
Mark

------------------------------
Mark Scherfling
------------------------------

Original Message:
Sent: Fri November 18, 2022 03:25 AM
From: Benjamin Walden
Subject: Is there a way to make Playbook activation form variable?

I'm trying to build a playbook that sends emails to various adresses but i need the list of adresses be editable to the soc admin as well as make the possible list of adresses different based on the customer it belongs to. We have one SOAR for all customers.

I'm thinking of something like: if "customer a": form_input_multiselect = [ "customer_a@mail.com", "customer_a_securityperson@mail.com", "oursoc@mail.com" ]

elif "customer_b": form_input_multiselect = [ "customer_b@mail.com", "customer_b_securityperson@mail.com", "oursoc@mail.com ]

and so on. The soc admin should decide which of those adresses should get the mail. Sometimes it's not neccessary to contact the securityperson for example. But to minimise human error the admin should only be shown adresses of the corresponding customer.

Is it possible to make an input form this variable? I tried using subplaybooks, but it didn't work. Maybe i used them wrong.

Thanks in advance

------------------------------
Benjamin Walden
------------------------------

There are several RFEs already in the Idea market that relate to this type of scenario - some of which are quite old and still relevant/desired.

https://ibmsecurity.ideas.ibm.com/ideas/RESI-I-8
https://ibmsecurity.ideas.ibm.com/ideas/R-I-334
https://ibmsecurity.ideas.ibm.com/ideas/R-I-301

------------------------------
David Vasil
------------------------------

Original Message:
Sent: Mon November 21, 2022 07:36 AM
From: Mark Scherfling
Subject: Is there a way to make Playbook activation form variable?

Hi Benjamin,

This capability is not yet supported. We have discussed this capability internally, but if you'd like to create an idea it would be helpful to gauge other customer interest.

Regards,
Mark

------------------------------
Mark Scherfling

Original Message:
Sent: Fri November 18, 2022 03:25 AM
From: Benjamin Walden
Subject: Is there a way to make Playbook activation form variable?

I'm trying to build a playbook that sends emails to various adresses but i need the list of adresses be editable to the soc admin as well as make the possible list of adresses different based on the customer it belongs to. We have one SOAR for all customers.

I'm thinking of something like: if "customer a": form_input_multiselect = [ "customer_a@mail.com", "customer_a_securityperson@mail.com", "oursoc@mail.com" ]

elif "customer_b": form_input_multiselect = [ "customer_b@mail.com", "customer_b_securityperson@mail.com", "oursoc@mail.com ]

and so on. The soc admin should decide which of those adresses should get the mail. Sometimes it's not neccessary to contact the securityperson for example. But to minimise human error the admin should only be shown adresses of the corresponding customer.

Is it possible to make an input form this variable? I tried using subplaybooks, but it didn't work. Maybe i used them wrong.

Thanks in advance

------------------------------
Benjamin Walden
------------------------------

You can develop a playbook with Activation of Incident/Task field.

------------------------------
Ragavendran Lakshminarasimhan
------------------------------

Original Message:
Sent: Fri November 18, 2022 03:25 AM
From: Benjamin Walden
Subject: Is there a way to make Playbook activation form variable?

I'm trying to build a playbook that sends emails to various adresses but i need the list of adresses be editable to the soc admin as well as make the possible list of adresses different based on the customer it belongs to. We have one SOAR for all customers.

I'm thinking of something like: if "customer a": form_input_multiselect = [ "customer_a@mail.com", "customer_a_securityperson@mail.com", "oursoc@mail.com" ]

elif "customer_b": form_input_multiselect = [ "customer_b@mail.com", "customer_b_securityperson@mail.com", "oursoc@mail.com ]

and so on. The soc admin should decide which of those adresses should get the mail. Sometimes it's not neccessary to contact the securityperson for example. But to minimise human error the admin should only be shown adresses of the corresponding customer.

Is it possible to make an input form this variable? I tried using subplaybooks, but it didn't work. Maybe i used them wrong.

Thanks in advance

------------------------------
Benjamin Walden
------------------------------

Hi Ragavendran,

I don't know if I fully understand the question. Yes, you can use an incident or task field as a condition for a playbook. You can also reference an incident or task field within a playbook script. But you cannot populate an activation form field using the value of an incident or task field. That would be a useful capability.

Regards,
Mark

------------------------------
Mark Scherfling
------------------------------

Original Message:
Sent: Mon November 21, 2022 01:32 AM
From: Ragavendran Lakshminarasimhan
Subject: Is there a way to make Playbook activation form variable?

You can develop a playbook with Activation of Incident/Task field.

------------------------------
Ragavendran Lakshminarasimhan

Original Message:
Sent: Fri November 18, 2022 03:25 AM
From: Benjamin Walden
Subject: Is there a way to make Playbook activation form variable?

I'm trying to build a playbook that sends emails to various adresses but i need the list of adresses be editable to the soc admin as well as make the possible list of adresses different based on the customer it belongs to. We have one SOAR for all customers.

I'm thinking of something like: if "customer a": form_input_multiselect = [ "customer_a@mail.com", "customer_a_securityperson@mail.com", "oursoc@mail.com" ]

elif "customer_b": form_input_multiselect = [ "customer_b@mail.com", "customer_b_securityperson@mail.com", "oursoc@mail.com ]

and so on. The soc admin should decide which of those adresses should get the mail. Sometimes it's not neccessary to contact the securityperson for example. But to minimise human error the admin should only be shown adresses of the corresponding customer.

Is it possible to make an input form this variable? I tried using subplaybooks, but it didn't work. Maybe i used them wrong.

Thanks in advance

------------------------------
Benjamin Walden
------------------------------

Hi Benjamin, 
As @Mark Scherfling mentioned, this capability is not available. 
However, If email list is static for each customer, then you can design a sub-playbook that accepts as customer as input and returns the customer specific email ids as an output ( via sub-playbook endpoint script).  This sub-playbook output can be used in main playbook for any function inputs or scripts, etc.

Thanks​

------------------------------
Ram Badvelu
------------------------------

Original Message:
Sent: Fri November 18, 2022 03:25 AM
From: Benjamin Walden
Subject: Is there a way to make Playbook activation form variable?

I'm trying to build a playbook that sends emails to various adresses but i need the list of adresses be editable to the soc admin as well as make the possible list of adresses different based on the customer it belongs to. We have one SOAR for all customers.

I'm thinking of something like: if "customer a": form_input_multiselect = [ "customer_a@mail.com", "customer_a_securityperson@mail.com", "oursoc@mail.com" ]

elif "customer_b": form_input_multiselect = [ "customer_b@mail.com", "customer_b_securityperson@mail.com", "oursoc@mail.com ]

and so on. The soc admin should decide which of those adresses should get the mail. Sometimes it's not neccessary to contact the securityperson for example. But to minimise human error the admin should only be shown adresses of the corresponding customer.

Is it possible to make an input form this variable? I tried using subplaybooks, but it didn't work. Maybe i used them wrong.

Thanks in advance

------------------------------
Benjamin Walden
------------------------------