Running Playbooks in Threat Graph
  • 18 Sep 2024
  • 4 Minutes to read
  • Dark
    Light

Running Playbooks in Threat Graph

  • Dark
    Light

Article summary

Overview

The Threat Graph feature in ThreatConnect® provides a graph-based interface that you can use to discover, visualize, and contextualize associations and relationships between Indicators, Groups, Cases, and Tags. The Run Playbook… option in Threat Graph, available for Indicators that exist in ThreatConnect only, lets you run UserAction Trigger–based Playbooks for Indicators, allowing you to perform automated analysis of Indicators without needing to leave Threat Graph. You may access the Run Playbook… option in two places in Threat Graph: an Indicator node’s menu and the Graph Objects drawer.

Before You Start

User Roles

  • To run Playbooks in Threat Graph, your user account must have an Organization role of Standard User, Sharing User, Organization Administrator, or App Developer.

Prerequisites

  • To run Playbooks in Threat Graph, turn on Playbooks for your ThreatConnect instance (must be a System Administrator to perform this action).

Running a Playbook From the Node Menu

Follow these steps to run a UserAction Trigger–based Playbook for an Indicator in Threat Graph from an Indicator node’s menu:

  1. Open Threat Graph.
  2. Select a node on the graph that corresponds to an Indicator that exists in one of your ThreatConnect owners. If no such node is on the graph, pivot in ThreatConnect to add one.
  3. Select Run Playbook… in the node’s menu.
    Important
    The Run Playbook… option will not be available for nodes corresponding to Indicators that do not exist in one of your owners.
  4. On the Select Playbook window (Figure 1), select a Playbook by clicking in the Description column for its entry, and then click Run Playbook to run the Playbook. The Select Playbook window shows all active Playbooks with a UserAction Trigger configured for the Indicator’s type.

    Figure 1_Running Playbooks in Threat Graph_7.1.0.

     

Note
To open a Playbook in the Playbook Designer, click the UserAction Trigger’s name in the Trigger Name column on the Select Playbook window.
Important
To view the results of the Playbook execution, open the Playbook in the Playbook Designer, and then open the Executions pane.

Running a Playbook From the Graph Objects Drawer

The Graph Objects drawer (Figure 2) provides two ways to run a UserAction Trigger–based Playbook for Indicators in Threat Graph:

Figure 2_Running Playbooks in Threat Graph_7.7.0

 

Selection Actions Menu

Follow these steps to use the Selection Actions menu in the Graph Objects drawer to run a UserAction Trigger–based Playbook for one or more Indicators in Threat Graph:

  1. Open Threat Graph.
  2. Ensure there is at least one node on the graph that corresponds to an Indicator that exists in one of your ThreatConnect owners. If no such node is on the graph, pivot in ThreatConnect to add one.
  3. Click View Table in the Threat Graph header to open the Graph Objects drawer.
  4. Select objects in the table on the Graph Objects drawer using the following methods:
    • Select individual objects: Select the checkbox to the left of an object’s value in the Type column to select the object.
    • Select multiple objects at once: Select the checkbox to the left of the Type column header to select all objects on the current table page.
      Hint
      Selections on one page persist when you navigate to another page, allowing you to select items across multiple pages.
  5. Click Selection Actions at the top left of the Graph Objects drawer and select Run Playbook….
  6. On the Select Playbook window (Figure 1), select a Playbook by clicking in the Description column for its entry, and then click Run Playbook to run the Playbook. If you select Indicators of multiple types on the Graph Objects drawer, the Select Playbook window will show all active Playbooks containing a UserAction Trigger configured for all selected Indicator types. For example, if you select a Host Indicator and an Address Indicator in the Graph Objects drawer, the Select Playbook window will show all active Playbooks containing a UserAction Trigger configured for both Indicator types; it will not show Playbooks containing a UserAction Trigger configured for only one of the Indicator types.
Note
If you select an Indicator that does not exist in ThreatConnect in the table on the Graph Objects drawer, the Select Playbook window will show no Playbooks. However, you can run Playbooks for these Indicators by first importing them into ThreatConnect with Threat Graph’s import feature.
Note
When you select one or more objects in the table on the Graph Objects drawer, the Selected button at the top left of the table will show the current number of selected objects. To view only the objects currently selected in the table, click Selected.

Options Menu

Follow these steps to use an Indicator’s ⋯ menu in the Graph Objects drawer to run a UserAction Trigger–based Playbook for the Indicator in Threat Graph:

  1. Open Threat Graph.
  2. Ensure there is at least one node on the graph that corresponds to an Indicator that exists in one of your ThreatConnect owners. If no such node is on the graph, pivot in ThreatConnect to add one.
  3. Click View Table in the Threat Graph header to open the Graph Objects drawer.
  4. On the Graph Objects drawer, click the ⋯ menu for an Indicator that exists in one of your ThreatConnect owners and select Run Playbook….
  5. On the Select Playbook window (Figure 1), select a Playbook by clicking in the Description column for its entry, and then click Run Playbook to run the Playbook. The Select Playbook window shows all active Playbooks with a UserAction Trigger configured for the Indicator’s type.

ThreatConnect® is a registered trademark of ThreatConnect, Inc.

20117-11 v.02.A


Was this article helpful?