Adding user input to manually-run playbook from Sentinel

Regular Visitor

Hi all,

 

Relative noob here. I have a Sentinel integration that allows the user to select an incident and then trigger a playbook to block or allow the particular incident. That decision is then sent to a remote database. When the user selects an incident and runs the playbook, they need to be able to make additional decisions about how they want to categorize that incident in the remote db (allow for device, block for all end users, etc.). Right now, the best solution I've come up with is to create a separate playbook for every combination of decisions, which works out to nearly 20 playbooks. It works, but it's clunky from a UI standpoint. I could be looking at it the wrong way. Is there some better way to allow Sentinel users to make multiple decisions on incidents and send that data to a remote db?

 

Thanks in advance!

0 Replies