Solved

What's the use case for 'Add Global Parameters' action in SOAR 1.0.4?

  • 14 November 2022
  • 4 replies
  • 40 views

Userlevel 2

Hi folks,

I was wondering if anybody could tell me what the use case is for the new ‘Add Global Parameters’ action added in SOAR 1.0.4? As far as I can see, any output parameter from an action is already accessible from any other? 

From my quick tests it doesn’t look like they pass down to Sub-playbooks either, so are they just meant as a quicker way to access the values within a playbook?

I couldn’t find any documentation on this, so I was hoping someone else might know the answer.

icon

Best answer by Sagar Bhandari 15 November 2022, 10:17

View original

4 replies

Hi Ash,

The global parameters are meant to pass the static value within the playbook. You can add  general variables to pass through the playbook via trigger block. But those general variables can change its values if you are triggering the playbook thorough incident( only if the name of the variable is present as the metadata of the incident log). So the best practice would be using the global variables if they are supposed to be static or if you know the default value of the variable beforehand.

Best Regards,

Sagar

Userlevel 2

Hi Sagar,

 

Thanks for that - just to clarify then, when you say that the variables can change - is that the metadata specified on the alert itself (the ‘Event Metadata’ field in the alert rules), or is that just the built-in incident metadata (like ID, Incident ID, start time etc) you’re referring to?

Cheers,

Ash

Hello Ash, 

It is not the Event Metadata of the alert rules. If you have setup the automation of the triggers then the playbook’s trigger block will use the query of same alert rule that generated the incident and it will fetch the metadata if used any(like source_address, indcident_name, device_ip etc)

Regards,

Sagar

Userlevel 2

Hi Sagar,

 

That’s what I suspected was the case - thanks for clearing that up!

Cheers,

Ash

Reply