Define customized alert views from playbook designer
The security engineer can create bespoke alert views on each playbook for specific SOC roles. This ensures that each SOC role user will see information specific to their needs in the alerts Overview tab in the Cases page.
The advantage of creating customized alert views is that you can decide in advance what type of information you want to display to different roles. For example, if you have a collaborator user and you have created a SOC role for them called Premium Customer Role, you can then build a view for them which contains just the information that is suitable for their role and thereby not compromise on your organization's security.
The views are created in the playbook designer and are composed of various widgets which you can drag, drop and edit to create the required view based on the playbook results. For a detailed description of all the widgets, refer to Default alert view.
If you don't define a view for a specific SOC role, users with this role will see the default alert view instead.
Example of customized alert view
Start by looking at an alert Overview tab.
Now, the steps taken to build that customized view will be reviewed. In the following procedure, you are going to build a customized alert view on a Phishing email for a Tier One role.
To add a customized alert view:- In the Playbooks page, navigate to the Phishing Email playbook and click Add View in the top right corner.
- Enter an appropriate template name and choose the required role, and then click Add. In this case, Tier One.
- You create your customized view by selecting from the following widgets. Drag them into the view and then configure them according to your requirements.
- Based on the Phishing Email playbook, you know there is at least one pending action for the SOC Role, so start by adding a Pending Actions widget.
-
Next, add in two Free Text widgets. One is displayed if
there is an approval action. This contains the Placeholder:
[Case Outcome - Block approved .ScriptResult]
The other widget will be displayed if the outcome is not approved.[Case Outcome - Block not approved .ScriptResult]
-
Next, add another Free Text widget and call it
Attack Details - Mitre
. This contains the placeholder -[Mitre Attack Details.ScriptResult]
- Next, add Entities Highlights widget.
-
Next, add a JSON widget, and add the placeholder
[Exchange_Search Mails_1.JsonResult]
- Finally, add the HTML widget.
- Once the appropriate alert has been ingested into the system and the playbook has run, the Tier One role user can enter the platform and see the alert Overview with the playbook results.