The incidents for the Logpoint source in the SOAR is fetched using incident API, which is used to trigger the playbook. By default, the user admin(or first user having admin privileges) and its secret_key is used to fetch those incidents. Only the incidents that are assigned to that admin user or manageable by that admin user are fetched by the incident API by default and based on those fetched metadata playbooks are triggered. If you want to change the user, you can enforce it by toggling the enforce credentials toggle button after entering the user and relevant secret key. The setting is present in the soar settings>>sources>>edit. You can follow this guide provided by logpoint for the better understanding.
Reply
Sign up
Already have an account? Login
Already a Partner or Customer? Login with your LogPoint Support credentials. Don‘t have a LogPoint Support account? Ask your local LogPoint Representative. Only visiting? Login with LinkedIn to gain read–access.
LOGIN AS PARTNER OR CUSTOMER Login with LinkedInLogin to the community
Already a Partner or Customer? Login with your LogPoint Support credentials. Don‘t have a LogPoint Support account? Ask your local LogPoint Representative. Only visiting? Login with LinkedIn to gain read–access.
LOGIN AS PARTNER OR CUSTOMER Login with LinkedInEnter your E-mail address. We'll send you an e-mail with instructions to reset your password.
Hello,
I am trying to set up the launch of a plugin when an alert is triggered.
My alert appears to be working correctly; I receive an email every time it is executed.
According to the documentation, I've set up the trigger on my Logpoint search node like this:
SELECT * FROM LogPoint WHERE alertrule_id = 'xxxxxxxxxxxxxxxxxxx' OR name = 'Detection of a Threat 2'
I have also tried SELECT * FROM LogPoint WHERE alertrule_id LIKE '%xxxxxxxxxxxxxx%'
Unfortunately, when an alert is triggered, the playbook is not executed.
Do you have any idea what might be causing this issue? Am I missing something?
Regards,
Julien