Create Commands for Cases

As an analyst, you may want to run commands as part of your case investigation. External tools are typically available to run commands, but it can be helpful to associate command results directly with a case that you’re working on.

LogicHub allows you to create commands and run them directly from cases. For example, if an attack has occurred from a particular IP address, you can add a command that does an IP lookup and includes the results of the lookup in the LogicHub case. The command and results remain in LogicHub and you don’t have to access an external system or copy and paste results into the case management record.

After creating commands, you can share them with others in your organization. You can also download the JSON file that defines a command to make it available for upload by another user.

About Case Commands

A case command is a special type of playbook that executes based on arguments rather than a time range. For example, a case command can perform a country lookup based on an IP address or domain name argument.

You can create a new playbook as a command or convert an existing playbook to a command. A command playbook is generally built around an integration but can be constructed completely from scratch.

Create a Command

  1. Open the My Library > Commands page and click New.

  2. Enter a name and description to identify the command.

  3. To include an online help page, add the URL of the page.

  4. Click Continue.

The playbook designer opens in Easy Mode with an initial Parameter step added.

You can now design the playbook. Begin by assigning the parameters, or arguments, for the command.

  1. Click the Parameter step and then click Add Parameter. For column name, add the name of a parameter you want to use as a command argument. The parameter is also listed as a column in the playbook results. Add a description if you like and indicate if the parameter is required. If the parameter isn’t required, you can specify a default value.

  2. To add additional parameters, click Add Parameter.

  3. When you have added all the parameters you want to use, click Continue.

  1. On the Data tab, specify a dummy value for each argument. The value allows you to populate the results table in the playbook designer so that you can see how the results change as you build your command playbook.

  2. Click Save.

  1. You’re now ready to add logic to your command playbook. In the playbook designer, click + on the parameter step and select the type of child step to add.

Notice that the results table is automatically populated with the columns that you set up as parameters and with the dummy data that you defined.

With command playbooks, you can choose any step in the playbook to be the output. If you have several steps in the playbook, consider renaming the playbook you want to use as the output so you can easily identify it.

  1. To finalize the command, click Create Command. Select the step to use as the output, and click Continue.
  1. A preview of the results table is shown. The results reflect how the dummy values have been modified by the logic in the playbook.
  1. When you are satisfied with the logic in the playbook, click Save to save the command and return to the Commands page.

The command you created is now available to be selected on the Cases page.

Manage Commands

To manage your commands, go to the My Library > Commands page. See Manage Content in your Library. To know more about sharing commands with other users and groups, see Share Content from your Library.

How to Define Markdown in Commands

To render command output as markdown, one of the columns must be defined as md_description.

Example: Define the required parameter(s) and use the following query to render the line breaks between the parameters. Use \n for a line break in the command output.

select printf('%s\n\n%s\n\n%s', param1, param2 , param3) as md_description from Parameter_Node

where, param1, param2, and param3 are defined as parameters, and the following are their values:

  • Param1 value = Markdown is a way to style text on the web
  • Param2 value = Markdown is easy to use.
  • Param3 value = I really like using Markdown

Similarly, you can use any markdown syntax to render the output as needed in the playbook node.


Did this page help you?