This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
Log in to ask a question
Log in to ask a question

Multiple playbooks cannot be opened simultaneously

Posted 3 weeks ago
ORBR
Bronze 3
Bronze 3
Reply posted on --/--/---- --:-- AM

Hi.

I have a collection of playbooks that I want to initiate whenever a new case is opened.

One playbook utilizes an "all" trigger, meaning it's linked to all new cases.

Additionally, another playbook is created based on the tag name.

All tags have been configured, and during testing, everything appears to be functioning correctly.

However, upon the arrival of a new case, only the "All" playbook is attached, and not the playbook associated with the tag. Could there be a limitation where only one playbook can be attached?

Solved Solved
1 6 133
Topic Labels
Jump to Solution
1 ACCEPTED SOLUTION

Posted on --/--/---- --:-- AM
f3rz
Staff
Reply posted on --/--/---- --:-- AM

@ORBR, could you please clarify if all these playbooks have the same priority?
If the answer is positive, please try to change the priorities of that playbook so that they all differ.

f3rz_0-1713248161598.png

Priority - This determines the attachment order of playbooks for the alert. Only one playbook can be attached automatically and it works according to priority order.

https://cloud.google.com/chronicle/docs/soar/respond/working-with-playbooks/whats-on-the-playbooks-s...

View solution in original post

Jump to Solution
6 REPLIES 6

Posted on --/--/---- --:-- AM
f3rz
Staff
Reply posted on --/--/---- --:-- AM

@ORBR, could you please clarify if all these playbooks have the same priority?
If the answer is positive, please try to change the priorities of that playbook so that they all differ.

f3rz_0-1713248161598.png

Priority - This determines the attachment order of playbooks for the alert. Only one playbook can be attached automatically and it works according to priority order.

https://cloud.google.com/chronicle/docs/soar/respond/working-with-playbooks/whats-on-the-playbooks-s...

Jump to Solution

Posted on --/--/---- --:-- AM
malzahnOptiv
Bronze 4
Bronze 4
In response to f3rz
Reply posted on --/--/---- --:-- AM

@f3rz do you know where I can find the release notes where this functionality of the playbook priority (and only one attaching automatically) went into GA?

I'm certain I worked with Chronicle/Siemplify environments in the past which were architected based on sometimes 2 or 3 playbooks triggering simultaneously, with the priority value making little or no difference. Thanks for any further insight you can provide.

Jump to Solution

Posted on --/--/---- --:-- AM
f3rz
Staff
Reply posted on --/--/---- --:-- AM

@malzahnOptiv I might be wrong, but as far as I know it is a legacy part of the Product, meaning it was always there. 

Jump to Solution

Posted on --/--/---- --:-- AM
Dmitry_Sarakeev
Staff
In response to f3rz
Reply posted on --/--/---- --:-- AM

+1, i the playbook priority feature was for years in SOAR!

Jump to Solution

Posted on --/--/---- --:-- AM
malzahnOptiv
Bronze 4
Bronze 4
In response to Dmitry_Sarakeev
Reply posted on --/--/---- --:-- AM

Thanks for the reply. Therefore, are we saying that for years only one playbook could be attached automatically? (with the priority controlling which)

Jump to Solution

Posted on --/--/---- --:-- AM
f3rz
Staff
In response to malzahnOptiv
Reply posted on --/--/---- --:-- AM

Not exactly, your playbooks can have 3 levels of priority, each level can be attached once. This means you can have 3 automatically attached playbooks in total per single alert (not per the whole case, where you could have more alerts grouped) 

But you also could have a playbook with the action Attach Playbook inside that will increase this amount, and it will ignore priority value. 

Jump to Solution
Top Solution Authors
View all