aggregated View page from Two different playbooks

ORBR

Is there any way to set one view based on two different playbooks?

One playbook is general and enrich data from Chronicle SIEM and similar cases, etc.

The other one is more drill down based on the alert (EDR, MAIL, etc).

I want a main view page that will present widgets from these two playbooks.

TonyH

Hello,

Currently I believe you will need to create two different playbook views as creating one view for two different playbooks is not supported. You can always submit a feature request.

ORBR

Hey Tony.

But If I create two different playbook views, is there a way to present them both on the same case?

TonyH

Hello,

Unfortunately I was not able get that working when testing.

Moseis

A potential work around would be to have the second playbook look at the case wall and grab the information there. Since all actions taken in a playbook are written to the case wall, you could use an action to grab data that doesn't persist to the next playbook. Once the data from the previous playbook is in the second playbook, you would simply put that data in the second playbook view.

You could also have the actions in the first playbook set an alert context value for the data you want to put into the view of the second playbook.

In either case you would need to get the desired information into the second playbook and re-create the widgets in the second playbook's view since each role can only see 1 view per playbook.