Assign approval links in actions
Approval links are a way to send manual actions that are waiting for user input (pending actions) to users outside of the platform. For example, if you are working with an end user that does not have access to Google Security Operations, you could email them the approval link and (similarly to the Pending actions widget or the Pending Actions tab in Your Workdesk), they can approve or decline the action from wherever they are.
Consider the following use case: You are an MSSP building a playbook based on a suspected phishing alert. You want to quarantine an infected computer on your end customer's site but you want the IT manager in the end customer's company to approve this action first. To send out this request to approve or decline the action to the IT Manager in an email, you will need to assign an approval link in the action.
Assign an approval link in an action
- In the playbook you are building, select the Carbon Black Quarantine Device action. This action is the one we want the end user to approve.
- Change the Action Type to Manual. The Approval link toggle displays.
- Enable the Approval link toggle. This automatically creates
placeholders (with links to approve or decline the Quarantine Device) which can
then be used in any action preceding this one in the playbook.
You can assign the manual action to a specific user or SOC role, or leave it blank. - Optionally, you can enable the Time to respond toggle in conjunction with the Approval link toggle. This will specify a specific time by which the end user (or indeed anybody in the platform) must respond to the email by clicking one of the links.
- Drag a Send Email action to directly before the Carbon Black Quarantine Device action in the playbook.
- In the Send Email action, fill out the recipient email address.
- While in the email body, click data_array and click individually on the approve and decline links to place them in the message.
- Make sure you have written an email first before you pop in the
placeholders.
Pro Tip: Wrap the sentence in HTML links so that the approval link appears as a hypertext link. - Make sure to save your playbook. Once an alert that matches the playbook
trigger enters the system, the playbook will start running and when it reaches
the Send Email step, an email with instructions to click approve or
decline will be sent to the defined recipient.
You can also take the approval links and use them wherever or however you want to. For example, in an HTML widget when building a playbook view, playbook actions such as Send to Slack, or Send SMS with Twilio.