Create Commands for Cases
Overview
As an analyst, you may want to run commands as part of your case investigation. External tools are typically available to run commands, but it can be helpful to associate command results directly with a case that you’re working on.
Devo SOAR allows you to create commands and run them directly from cases. For example, if an attack has occurred from a particular IP address, you can add a command that does an IP lookup and includes the results of the lookup in the Devo SOAR case. The command and results remain in Devo SOAR, and you don’t have to access an external system or copy and paste results into the case management record.
After creating commands, you can share them with others in your organization. You can also download the JSON file that defines a command to make it available for upload by another user.
About Case Commands
A case command is a special type of playbook that executes based on arguments rather than a time range. For example, a case command can perform a country lookup based on an IP address or domain name argument.
You can create a new playbook as a command or convert an existing playbook to a command. A command playbook is generally built around an integration but can be constructed completely from scratch.
How to Create a Command
Go to My Library > Commands from the left navigation and click New. A setup page opens up to create commands with three easy steps.
Step 1 - Setup
Enter a name and description to identify the command. Make sure to add a name without space.
Add a URL to include an online help page and click Continue.
Step 2 - Build a Playbook
The playbook designer opens with an initial Parameter step added. You can now design the playbook. Begin by assigning the parameters or arguments for the command.
Click on the Parameter step and click Add Parameter to configure the parameter.
Column Name: Add the name of a parameter you want to use as a command argument. The parameter is also listed as a column in the playbook results.
Description: Add a description if you like and indicate if the parameter is required.
Required Input: You can specify a default value if the parameter isn’t required.
To add additional parameters, click Add Parameter.
When you have added all the parameters you want to use, click Continue.
Provide a value for the parameter (the value of the IP, in this case) in Data and click Save.
The value allows you to populate the results table in the playbook designer to see how the results change as you build your command playbook.
You’re now ready to add logic to your command playbook.
Click + on the parameter step in the playbook designer and select the type of child step to add.
Notice that the results table is automatically populated with the columns you set up as parameters and the data you defined.
With command playbooks, you can choose any step in the playbook to be the output. If you have several steps in the playbook, consider renaming the playbook you want to use as the output so you can easily identify it.
Step 3 - Create a Command
To finalize the command, click Create Command. Select the step to use as the output, and click Continue.
A preview of the result table is shown. The results reflect how the values have been modified by the logic in the playbook.
When you are satisfied with the logic in the playbook, click Save to save the command and return to the Commands page.
The command you created is now available to be selected on the Cases page.
Manage Commands
To manage your commands, go to the My Library > Commands page. See Manage Content in your Library. To know more about sharing commands with other users and groups, see Share Content from your Library.
How to Define Markdown in Commands
To render command output as markdown, one of the columns must be defined as md_description
.
Example: Define the required parameter(s) and use the following query to render the line breaks between the parameters. Use \n
for a line break in the command output.
select printf('%s\n\n%s\n\n%s', param1, param2 , param3) as md_description from Parameter_Node
where, param1, param2, and param3 are defined as parameters, and the following are their values:
Param1 value = Markdown is a way to style text on the web
Param2 value = Markdown is easy to use.
Param3 value = I really like using Markdown
Similarly, you can use any markdown syntax to render the output as needed in the playbook node.
Â