Allow playbooks for cases as well
Marcel
Siemplify Gold Member
There are some actions that only need to be done once for a case. For example we use a webhook to alert on new cases, but currently we get an alert for every event because we can't assign a playbook to a case. With this feature we could get an alert only once per case.
We also try to implement processes such as opening a case for the IT department. For a case we only need to open one ticket for them, not one for every alert.
This would make the analysts life easier because the system should automate as much of clerical work as possible.
13
Comments
Vouch for that x100. Our playbooks which involve email sending can be nasty for the end users if the case for any reason has more than 2 of the same alerts.
Good idea, there's definitely a place for playbooks and playbook logic at the "case" level.
Our current workaround is to use the "Find first alert" action at the start of a playbook to check whether the alert is the first in the case, and along with some other logic only execute certain actions like send an email for that one alert per case.
Has worked well so far, you could use the same approach to only call your webhook once per case, instead of once for every alert.
We've faced the same question again and again, and although with the "find first alert" there's some solution for the issue, it's definitely far from optimal.
We found that in theory, you should not work individual alerts, but the main "story" takes place in the case, influenced by the alerts.
Take for example a malware infection:
There may be an alert from the antivirus, telling that some malicious file has been detected, but could not be removed / quarantined.
This creates a case, and the analyst now wonders "has this had any negative impact?"
Then, the second alert is grouped to the same case, because network monitoring has picked up a suspicious outgoing network connection.
This gives the whole case a spin in a certain direction, which would be completely different than if the suspicious network connection would have been the first alert in a case.
In our current view, there should be "case-focussed playbooks" creating the underlying base flow (i.e. putting a case from investigation to remediation stage), and each alert could have an own, alert-focussed playbook to do the enrichment and other alert-focussed activity.
Whenever an alert analysis comes to a certain conclusion, or the combined analysis of multiple alerts leads to something, an additional playbook is added to the case. In the above example, the analysts conclusion is "there was a successful malware infection", identified by the two alerts, and would add the "restage a machine" playbook to the CASE.
However, this seems to need quite a rework of how Siemplify handles cases, alerts and playbooks, and is more than just "case-level playbooks should be possible".
This would be a HUGE improvement. We currently have a manual instruction for analysts to ensure that all unique alerts are triaged and to move complete unrelated alerts to their own case. As an example for how this would be helpful:
-We have 4 alerts for quarantined files grouped into the same case, and all 4 are false positives.
-We would like to add all 4 SHA256 to a Safelist Custom List. Currently, that would require working through the playbooks for all 4 alerts, but if we could have a "case" playbook, we could add the SHA256 from all 4 alerts by marking the files as false positives in a case playbook.
This would be a really useful capability. Also the ability to have the playbook look over all Alert data and the Events in each Alert would be great. Currently you have to pull the case data to get all the Events from every Alert which isn't Ideal.
Yeah I have a couple of actions that I've written to be used in playbooks that check if they're running on the first alert and exist otherwise.
It would be really nice to be able to configure a playbook to be case-centric or alert-centric, or even be able to select whether an an action in the playbook runs on the whole case or on each alert.