Define Customized Alert Views from Playbook Designer
The security engineer can create bespoke Alert views on each Playbook for specific SOC roles. This ensures that each SOC role user will see information specific to their needs in the Alerts Overview tab in the Cases screen.
The advantage of creating customized alert views is that you can decide in advance what type of information you want to display to different roles. For example, let's say you have a collaborator user and you have created a SOC role for them - let's call it Premium Customer Role. You can then build a view for them which contains just the information that is suitable for their Role and thereby not compromise on your organization's security.
The views are created in the Playbook designer and are composed of various widgets which you can drag, drop and edit to create the required view based on the Playbook results. For a detailed description of all the widgets, refer to Default Alert View.
If you do not define a view for a specific SOC role, users with this Role will see the Default Alert view instead.
Note that a widget will not display for the user if there are no results!
The Playbook view that is displayed will always belong to the very first Playbook that is attached no matter how many other Playbooks are added afterwards or rerun.
Therefore, when creating a Playbook with a view that you want to be shown, we recommend putting a Priority level 1 for the Playbook so that it will always be the first Playbook attached and therefore the fixed view that is displayed in the Alert Overview tab.
Note that if you made changes to the view in the Playbook View tab, you need to rerun the Playbook in order to update the View.
Example of Customized Alert View
Let's start by looking at an Alert Overview tab.
Now, let's go through the steps that we took to build that customized view. In the procedure below, we are going to build a customized alert view on a Phishing email for a Tier One role.
To add a customized alert view:
- In the Playbooks screen, navigate to the Phishing Email Playbook and click Add View in the top right corner.
- Enter an appropriate Template name and choose the required Role, and then click Add. In this case, Tier One.
- You create your customized view by selecting from the following widgets. Simply drag and drop them into the view and then configure them according to your requirements.
- Based on the Phishing Email playbook, we know there is will be at least one pending action for the SOC Role, so let's start by adding a Pending Action widget.
- Next, we will add in two Free Text widgets. One is displayed if there is an approval action. This contains the Placeholder:
[Case Outcome - Block approved .ScriptResult]
The other widget will be displayed if the outcome is not approved. [Case Outcome - Block not approved .ScriptResult] - Next, we will add another Free Text widget and call it Attack Details - Mitre. This contains the Placeholder - [Mitre Attack Details.ScriptResult]
- Next, we will add Entities Highlights widget.
- Next, we will add a JSON widget, and add the Placeholder [Exchange_Search Mails_1.JsonResult]
- Finally, we will add the HTML widget.
- Once the appropriate alert has been ingested into the system and the Playbook has run, the Tier One role user can enter the Platform and see the Alert Overview with the Playbook results.