One thing you could try is adding something to the description to key off of that for the next playbook.
What I mean is have your first playbook update the Artifact Description to say: "IP has been blocked in Firewall". Then have your next playbook looking to key off of that update to the artifact description to kick off the next playbook. Otherwise I would recommend maybe building a sub-playbook to just call from the first playbook after the action you wanted has been taken. You can verify the action has been taken by evaluating the response of the command that you ran to perform the first task.
IP successfully added to text file -> create service now ticket sub-playbook else do something else to let the analyst know that IP was not successfully blocked.
Hope this helps!
------------------------------
Nick Mumaw, GPEN, GPYC
Cyber Security Specialist - SOAR
IBM - Security
------------------------------
Original Message:
Sent: Fri June 28, 2024 11:14 AM
From: Raymond Tam
Subject: Create a Playbook to add an IP address to the blocklist text file and a create a ServiceNow ticket to record the activity
Hi Pierre,
Yes, you got it right with my situation. Creating a new input field lights up some ideas. I will try to merge the two playbook into one.
I was hoping there is an easy way to make multiple playbook to work together. I guess this is not the case.
Thanks,
------------------------------
Raymond Tam
Original Message:
Sent: Thu June 27, 2024 02:50 PM
From: Pierre Dufresne
Subject: Create a Playbook to add an IP address to the blocklist text file and a create a ServiceNow ticket to record the activity
Hi Raymond,
I don't know if this could help you but here is how I understand your problem.
You already have 2 playbooks that work. When one playbook is executed, you want to start the other. There is no operation or function in SOAR which you could use to start another playbook directly from an already running playbook.
What you could do is create a new field, let's call it BlockIP. When your first playbook is executing, have a script change the value of the field you created. Then you could have a condition on the second playbook (which must be an automatic playbook) to start it when the value of the field is changed.
This may not be the solution you are looking for, but I hope it can give you some ideas.
------------------------------
Pierre Dufresne
Original Message:
Sent: Tue June 25, 2024 05:41 PM
From: Raymond Tam
Subject: Create a Playbook to add an IP address to the blocklist text file and a create a ServiceNow ticket to record the activity
am looking for suggestions on how to have SOAR add an IP address to a firewall blocklist text file and create a ServiceNow task incident to record the activity.
I already have a working playbook that can add an IP address to the blocklist, which is activated manually by artifacts. I also have a working ServiceNow playbook that can create a ServiceNow ticket from a SOAR task.
Can anyone share some ideas on the best ways to accomplish this? I don't have a good idea where to start.
For example, is it a good idea to create a main playbook for ServiceNow ticket creation and add a sub-playbook to add the IP to the blocklist, then close the ServiceNow ticket?
Thanks!
------------------------------
Raymond Tam
------------------------------