Attaching playbooks to an alert
Google Security Operations SOAR allows for a total of 10 playbooks to be attached to an alert. Only 1 playbook can be attached automatically to a single alert. However, an additional 9 playbooks can be attached manually. You can set the priority of the playbook to a value between 1 (highest priority) and 3 (lowest priority) in the Playbook priority drop-down menu. If multiple playbooks are attached to an alert, the playbook with the highest priority is triggered and executed for the alert.
Add a playbook or playbook block to an alert
- Navigate to the Cases page.
- Click the alert, within a case, that the playbook or playbook block needs to be attached to.
- In the Playbooks tab, click Add Playbook on the right side of the screen. Choose the playbook or the playbook block to be added. Set the playbook priority or leave it at 2 (medium priority), which is the default value.
- If the selected playbook block requires input parameters, an Inputs dialog will appear. Either confirm the existing inputs or make the relevant input changes for the selected playbook block. If the playbook block does not require any input parameters, the Inputs dialog won't appear.
- The added playbook block is displayed in the Playbooks tab in the case alert.