LinkedIn
TwitterSometimes, you might be in a situation, where you want to share information between multiple playbooks, even across different alerts.
For example, if you have a an ITSM integration and you want to only create 1 ticket per case. If there are multiple alerts, you want to just update the existing ticket with a comment that new Alert was grouped under the same case.
There are 2 ways to achieve this:
- Using Context Values
- Using Custom Fields
Context Values vs Custom Fields
If you need to share huge JSONs between playbooks and it's not information that you want to collect for metrics in the future, then Context Values are more suitable.
If you need to share simple information like "ticket_id", then custom fields is best practice for this use case.
Eventually, both context values and custom fields are just variables that you are appending to the Case/Alert.
Playbook
Let's create a simple playbook, where we are creating a ServiceNow ticket per case. If the ticket was already created, instead of creating another ticket we are going to add a note to the existing ticket. The playbook needs to be protected from race conditions. To determine, if the ticket was already created, we are going to check if there is a context value/custom field "ticket_id" with valid value (eq INC1010101).
Using Context Values
If you are using a context value, then you will need to work with action "Set Scope Context Value" from Siemplify integration. Considering that ticket needs to be created per Case -> we will work with Case Context Values. We will have a variable called "ticket_id", so our configuration will need to look like this:
Next, we need to build the Flow condition correctly. Considering that we have Case Context Value called ticket_id, then we can use [Case.ticket_id] placeholder to validate, if it has any value. The structure of the ticket name is "INC{number}", so that means we can create the following condition:
This ensures that if we don't have a "ticket_id" value that contains "INC" inside of it -> new ticket will be created, as it means that no ticket was created for the case, yet.
To prevent potential race conditions we will put an Tools powerup action "Lock Playbook" before this condition. Lock playbook makes it so that the current playbook will wait until the playbook from other alert will finish execution. It allows us to transform chaotic execution inside case into a sequential one.
The last step is to define the action, when we are updating the existing ticket with new comment. Again, here we can rely on the placeholder from context value to automate the whole process.
The final playbook will look like this:
I've attached the same playbook to 2 alerts within 1 Case and as you can see, it worked in the expected way (I've first attached it to Alert 2 accidentally, that's why this playbook was used to create the ticket):
Using Custom Fields
Eventually the idea is almost identical, the only difference is that first you will need to create a Case Custom Field under "SOAR Settings -> Case Data -> Custom Fields" page, use action "Set Custom Fields" and the placeholder will look slightly different -> [CaseCustom.ticket_id].
Everything else is the same.
And here is an example execution that shows that it also works as expected:
