Here is the list of Internal Playbook Functions:
- notification
- setIncidentName
- setIncidentType
- setIncidentSeverity
- setIncidentPriority
- setIncidentDescription
- setIncidentStatus
- setIncidentAssignee
- updateAlertSeverityBasedOnReputations
- updateIncidentSeverityBasedOnAlertSeverity
- createAlertFromEvent
- countElements
- identityString
- identityStringArray
1. notification Function
Description
The notification function sends an email notification with the specified subject, body, and list of recipients.
Note ☛
Occasionally, emails may be directed to the junk folder.
Parameters
- subject (
string): The subject of the email. - body (
string): The body content of the email. - recipients (
string): A comma-separated list of email recipients.
Returns
void: This function does not return any value.
Example
# Example of using the notification function
notification("Critical Alert", "Server is down", "admin@example.com,dev@example.com")
2. setIncidentName Function
Description
The setIncidentName function updates the incident name.
Parameters
- incidentName (
string): The new incident name to be set.
Returns
void: This function does not return any value.
Example
# Example of using the setIncidentName function
setIncidentName("Network Outage")
3. setIncidentType Function
Description
The setIncidentType function updates the incident type.
Parameters
- incidentType (
string): The incident type to be set. Choose from [UNKNOWN / PHISHING / MALWARE / MITM / INSIDER_THREAT / PRIVILEGE_ESCALATION / WEB_APPLICATION_ATTACK / ANOMALY_DETECTION / APT / ENDPOINT / EMAIL / NETWORK/EPS].
Returns
void: This function does not return any value.
Example
# Example of using the setIncidentType function
setIncidentType("MALWARE")
4. setIncidentSeverity Function
Description
The setIncidentSeverity function updates the incident severity.
Parameters
- incidentSeverity (
string): The incident severity to be set. Choose from [LOW / MEDIUM / HIGH /CRITICAL].
Returns
void: This function does not return any value.
Example
# Example of using the setIncidentSeverity function
setIncidentSeverity("HIGH")
5. setIncidentPriority Function
Description
The setIncidentPriority function updates the incident priority.
Parameters
- incidentPriority (
string): The incident priority to be set. Choose from [LOW / MEDIUM / HIGH / CRITICAL].
Returns
void: This function does not return any value.
Example
# Example of using the setIncidentPriority function
setIncidentPriority("CRITICAL")
6. setIncidentDescription Function
Description
The setIncidentDescription function updates the incident description.
Parameters
- incidentDescription (
string): The new incident description.
Returns
void: This function does not return any value.
Example
# Example of using the setIncidentDescription function
setIncidentDescription("Unauthorized access attempt on the network.")
7. setIncidentStatus Function
Description
The setIncidentStatus function updates the incident status.
Parameters
- incidentStatus (
string): The incident status to be set. Choose from [NEW / INVESTIGATION / REMEDIATION / CLOSED /MERGED].
Returns
void: This function does not return any value.
Example
# Example of using the setIncidentStatus function
setIncidentStatus("INVESTIGATION")
8. setIncidentAssignee Function
Description
The setIncidentAssignee function updates the incident assignee.
Parameters
- assigneeInfo (
string): The incident assignee information in the format [id|firstName|lastName|emailId].
Returns
void: This function does not return any value.
Example
# Example of using the setIncidentAssignee function
setIncidentAssignee("123|John|Doe|john.doe@example.com")
9. updateAlertSeverityBasedOnReputations Function
Description
The updateAlertSeverityBasedOnReputations function updates alert severity based on alert reputation. Details on Alert and Incident Severity computation.
Parameters
- void: This function does not take any parameters.
Returns
void: This function does not return any value.
10. updateIncidentSeverityBasedOnAlertSeverity Function
Description
The updateIncidentSeverityBasedOnAlertSeverity function updates incident severity based on alert severity. Details on Alert and Incident Severity computation.
Parameters
- void: This function does not take any parameters.
Returns
void: This function does not return any value.
11. createAlertFromEvent Function
Description
The createAlertFromEvent function creates alerts from the last 24-hour events with the given input attributes. If the matching event count is more than 100, alert generation will be skipped.
Parameters
- fieldName (
string): The field name. Choose from [nwURL / nwLocalIp / nwRemoteIP / fileMD5 / processMD5]. - fieldValue (
string): The field value. - severity (
string): Alert severity for new alerts. Choose from [BASE / LOW / MEDIUM / HIGH]. - generate (
boolean): Generate alerts if true, else returns count of matching event entries for the given input. Choose from [true/false].
Returns
- status (
string): JSON string containing information on alert count, event count, and alert IDs.
Example
# Example of using the createAlertFromEvent function
createAlertFromEvent("nwURL", "http://example.com", "MEDIUM", true)
12. countElements Function
Description
The countElements function counts elements in the input array.
Parameters
- objectArray (
Object[]): The input object array.
Returns
- objectCount (
int): The number of elements in the input array.
Example
# Example of using the countElements function
count = countElements([1, 2, 3, 4, 5])
13. identityString Function
Description
The identityString function returns the input string. This is a placeholder function, especially used as the first block before the Decision or Filter block.
Parameters
- argument (
string): The string argument.
Returns
- argument (
string): The input string argument.
Example
# Example of using the identityString function
input_data = "example_string"
result = identityString(input_data)
print(result)
14. identityStringArray Function
Description
The identityStringArray function returns the input string array. This is a placeholder function, especially used as the first block before the Decision or Filter block.
Parameters
- argument (
string[]): The string array argument.
Returns
- argument (
string[]): The
Example
# Example of using the identityStringArray function
input_data = ["one", "two", "three"]
result = identityStringArray(input_data)
print(result)