Is there a way to update a case with the output of a Playbook?
For example, if I have a Playbook that checks an IP Reputation, is there any way I can get the Playbook to update the case to display the reputation response as an actual Case Annotation or something of the sort?
Page 1 / 1
@Nils Krumey ? :)
Yes there is - I couldn’t find a good example of it in the predefined Playbooks because they largely notify via email, but I think there might be one or two there too.
What you need is a sequence of a “Format” block and a “Case Item” block.
This is an example of a playbook that takes a trigger from a Mimecast log that contains a hash value among other things, sends that hash to Virustotal for analysis, and then updates a case with information from Mimecast (the log) and VirusTotal (how many engines found the hash/file malicious).
This is how the format block looks - it sets the variables to the values supplied via the trigger (i.e. the original Mimecast log), as well as the result from the Virustotal API action block (in the “engines” field), and substitutes them in the “Text”/Message field.
The output from the format block is then passed as a Case Item:
“Format_Results” is the “Action name” of the Format block, and “message” is the payload of the Format block, including all the variable substitutions.
In the end a case gets raised with information like this:
Obviously those steps should work similarly for anything else you might get returned by an API action block.
Hi Nils,
Sorry for the late reply on this, and thanks for getting back to me - that’s exactly what I was looking for!
Already a Partner or Customer? Login with your LogPoint Support credentials. Don‘t have a LogPoint Support account? Ask your local LogPoint Representative.
Only visiting? Login with LinkedIn to gain read–access.
Already a Partner or Customer? Login with your LogPoint Support credentials. Don‘t have a LogPoint Support account? Ask your local LogPoint Representative.
Only visiting? Login with LinkedIn to gain read–access.