Assign Approval Links in Actions
Approval Links are a way to send manual actions that are waiting for user input (i.e. pending actions) to users outside of the platform. So for example, if you are working with an end user that does not have access to Chronicle SOAR, you could simply email them the Approval Link and (similarly to the Pending Action in the widget or on the Homepage) - they can approve or decline the action from wherever they are.
Let's take a look at the following use case. You are an MSSP building a playbook based on a suspected phishing alert and you want to quarantine an infected computer on your end customer's site but you want the IT manager in the end customer's company to approve this action first. Let's now see how to send out this request to approve/decline the action to the IT Manager in an email.
To assign an approval link in an action:
- In the playbook you are building, select the Carbon Black Quarantine Device action. This action is the one we want the end user to approve.
- Change the Action type to Manual. The Approval Link toggle displays.
- Enable the Approval Link option. This automatically creates placeholders (with links to approve or decline the Quarantine Device) which can then be used in any action preceding this one in the Playbook.
Note that you can assign the manual action to a specific user/SOC role or leave it blank. - Optionally, you can use the Time to Respond option in conjunction with the Approval link. This will specify a specific time by which the end user (or indeed anybody in the platform) must respond to the email by clicking one of the links.
- Drag and drop a Send Email action to directly before the Carbon Black Quarantine Device action in the Playbook.
- In the Send Email action fill out the recipient email address.
- Whilst in the Email Body, click on the Placeholders options and click individually on the approve and decline links to place them in the message.
- Make sure you have written an email first before you pop in the placeholders.
Pro Tip: Wrap the sentence in html links so that the approval link appears as a hypertext link. For example,< a href= "<placeholder>" To approve this action, click here </a> - Make sure to save your Playbook. Once an alert that matches the Playbook trigger enters the system, the Playbook will start running and when it reaches the Email step, an email with instructions to click on approve or decline will be sent to the defined recipient.
Note that you can also take the Approval Link and use them wherever or however you want to. For example, in an HTML Widget when building a Playbook view, Playbook action such as Send to Slack, or Send SMS with Twilio, etc.