The Playbooks UserAction Trigger allows ThreatConnect® users to run Playbooks on demand from the Details screen of Indicators, Groups, Tracks, or Victims. This Trigger is contextually aware and user driven, and it allows a customized response (HTTP or Plain Text).
Creating a New UserAction
- On the top navigation bar (Figure 1), click PLAYBOOKS to display the Playbooks screen (Figure 2).
- Create a new Playbook or open an existing Playbook (see Playbooks) and navigate to the Trigger menu on the left-hand side of the Playbook Designer (Figure 3).
- Select UserAction from the External menu, and a new UserAction Trigger will appear (Figure 4).
- Double click the Trigger, and the Edit Trigger sidebar will appear (Figure 5).
- Enter a name for the Trigger, and then select the Indicators, Groups, Tracks, or Victims to which it will apply. Multiple types may be chosen. Click the NEXT button to configure the Response Body. Click the Render as Tip checkbox (Figure 6) to have the Trigger’s output appear as a pop-up tool tip in the Playbook Actions card on the Details screen for the chosen Indicator(s), Group(s), Track(s), or Victim(s).
NOTE: HTML can be used in the Response Body.
The Get VirusTotal Results Playbook (Figure 7) employs the UserAction Trigger to display results from VirusTotal on the Details screen for Hosts, URLs, and Addresses.
To view the results of the Playbook, set the status of the Playbook to Active and then navigate to the Details screen for a Host, URL, or Address Indicator (Figure 8).
The top right of the Overview screen shows a card called Playbook Actions. Click the Play button to run the Playbook. Because the Render as Tip checkbox was selected, Playbook results appear as a tool tip (Figure 9).