Playbook not executed when alert is triggered

Julien Garnier

August 08, 2024 12:24

Hello,

I am trying to set up the launch of a plugin when an alert is triggered.

My alert appears to be working correctly; I receive an email every time it is executed.

According to the documentation, I've set up the trigger on my Logpoint search node like this:

SELECT * FROM LogPoint WHERE alertrule_id = 'xxxxxxxxxxxxxxxxxxx' OR name = 'Detection of a Threat 2'

I have also tried SELECT * FROM LogPoint WHERE alertrule_id LIKE '%xxxxxxxxxxxxxx%'

Unfortunately, when an alert is triggered, the playbook is not executed.

Do you have any idea what might be causing this issue? Am I missing something?

Regards,
Julien

1 comment

Date Votes

Sagar Bhandari August 13, 2024 09:07

The incidents for the Logpoint source in the SOAR is fetched using incident API, which is used to trigger the playbook. By default, the user admin(or first user having admin privileges) and its secret_key is used to fetch those incidents. Only the incidents that are assigned to that admin user or manageable by that admin user are fetched by the incident API by default and based on those fetched metadata playbooks are triggered. If you want to change the user, you can enforce it by toggling the enforce credentials toggle button after entering the user and relevant secret key. The setting is present in the soar settings>>sources>>edit. You can follow this guide provided by logpoint for the better understanding.

Please sign in to leave a comment.