Running Playbooks in Threat Graph
  • 12 Apr 2023
  • 1 Minute to read
  • Dark
    Light

Running Playbooks in Threat Graph

  • Dark
    Light

Article summary

When using Threat Graph, you can run Playbooks containing a UserAction Trigger configured for a given Indicator’s type if the Indicator exists in ThreatConnect. This allows you to perform automated analysis of Indicators without needing to leave Threat Graph.

Running a Playbook From a Node’s Contextual Menu

  1. On an object's graph, click on a node representing an Indicator that exists in ThreatConnect.
  2. Select Run Playbook… from the node’s contextual menu. The Select Playbook window will be displayed, showing all active Playbooks containing a UserAction Trigger configured for the Indicator’s type (Figure 1).

    Figure 1_Running Playbooks in Threat Graph_7.1.0.

     

    • To open a Playbook in the Playbook Designer, click the Playbook’s name in the Name column.
    • To select a Playbook to run, click in the Description column for its entry.
    • After selecting a Playbook, click the Run Playbook button. Once the Playbook execution begins, a message stating “Playbook has been started” will be displayed at the lower-left corner of the graph.
Important
To view the results of the Playbook execution, open the Playbook in the Playbook Designer and open the Executions pane.

Running a Playbook From the Details Table

  1. Click Toggle DetailsToggle Details iconat the upper-right corner of the graph to display the Details table.
  2. Select the checkbox for one or more Indicators that exist in ThreatConnect.
  3. Click the Selected dropdown below the search bar and select Run Playbook…. The Select Playbook window will be displayed, showing all active Playbooks containing a UserAction Trigger configured for all selected Indicator types (Figure 1). For example, if you selected a Host and Address Indicator in the Details table, the Select Playbook window will display all active Playbooks containing a UserAction Trigger configured for bothIndicator types; it will not display Playbooks containing a UserAction Trigger configured for only one of the Indicator types.
    Note
    If you selected the checkbox for an Indicator that does not exist in ThreatConnect, no Playbooks will be displayed in the Select Playbook window. However, you can run Playbooks for these Indicators by first importing them into ThreatConnect using Threat Graph’s import feature.
  4. In the Select Playbook window, select a Playbook to run by clicking in the Description column for its entry and then click the Run Playbook button. Once the Playbook execution begins, a message stating “Playbook has been started” will be displayed at the lower-left corner of the graph.

ThreatConnect® is a registered trademark of ThreatConnect, Inc.

20117-11 v.01.A


Was this article helpful?