Define Requests for Users (Admin)
You can define requests for end users to select in the Homepage screen. The requests can be handled either manually by an analyst or by using a Playbook thereby automating the request process and turning the platform into an internal ticketing system between different teams such as IT to the SOC, or from an MSSP to an end user. Each request enters the platform as a Case with the label "Request" on it to clearly define it.
Examples of such requests can be anything from Blocking malicious IPs to Optimizing SIEM rules and even Onboarding a new user.
In this article we will demonstrate how to create a specific request template and show the end-to-end flow.
Scenario: I am a SOC Manager and I want to allow my SOC team to open a request to add permissions for internal users to our Salesforce.
Step One: Define Request
Step Two: Build Playbook
Google recommends taking some time to plan out what requests can be automated and how to build the accompanying playbook.
To define a request for Salesforce permissions:
- Navigate to Settings > Environments > Requests.
- Click on the Add Requests + icon at the top right of the screen.
- After adding a logical name and environment, you need to select
a Request Type.
This type is essentially the category that the request falls under. The type that you choose here will determine what entities display in the Event Fields drop down below. In this example we will choose Login.
Event Fields provide a way for the platform to recognize the incoming case
request and perform the appropriate "mapping and modelling" behind the
scenes. In the first field, you need to manually enter the field
Next, choose the type of field, for example email or string.
In the watermark field, add an instruction for the requester which explains what they need to add here.
In the final field you can choose to use an Event Field (which will bring a raw event into the system) or use entities which you can use in Playbooks later on. In the example below, we are using the Username and the SourceUserName entity.
- Click Add.
The next step will be to build a playbook that will automatically run once the new Case Request enters the Platform. The following procedure provides an illustration of building a specific Playbook for this specific Request.
- Create a new playbook with appropriate name and environment.
- Choose Alert Type Trigger. Equals to Salesforce Permission
Approvals (this is the template we created previously in the Settings
- Add Active Directory - Enrich
Entities to get more information on the user.
- Active Directory - Add User to Group.
Make sure to fill out parameters as follows:
Action Type: Manual - this means that the Playbook will stop running and wait for further instructions
Assign To: Administrator - the step can be assigned to either a specific user or a SOC Role and will be displayed as a Pending Action on both the Homepage and in the Case View.
Message to Assignee: Please approve or decline permission for user [Entity.Identifier] to Salesforce group. The message will appear as part of the Pending Action details.
Time to respond - enable this timer and give the assigned user a day by which to respond.
- Add Siemplify Close Case Action. This
closes the Playbook after the admin has approved/declined the request.
The request has now been created with the corresponding Playbook.
Once the user has chosen the request, it will enter the system as a Request Case.
The Playbook is waiting for the Admin's input to continue.
How can I approve the request?
There are three places in the Platform that you can navigate to in order to see the Pending Request.
- Cases screen - Click over to the
Playbooks tab under the correct Alert and click the Execute button in the
side drawer to approve the request.
- Cases screen - Overview. Click the Execute button in the appropriate widget.
- Homepage - Click over to the Pending Actions tab and select the Required Pending Action. Click Execute to approve the request.