Step-1: Entry-point
A1: Triggering Entity: Webhook - SDA Alert
An external/third-party entity
Things deployed in the customer environment that are needed to run the business, such as applications, devices, interfaces, and locations. can issue an HTTPS-request to a Riverbed IQ Ops Webhook to execute a specific associated Runbook An automated workflow that executes a series of steps or tasks in response to a triggered event, such as the detection of anomalous behavior generating an incident, a lifecycle event, or a manually executed runbook..
In this example, a call to the Riverbed IQ Ops Webhook triggers A set of one or more indicators that have been correlated based on certain relationships, such as time, metric type, application affected, location, or network device. the execution of the Webhook Runbook Example.
The Runbook An automated workflow that executes a series of steps or tasks in response to a triggered event, such as the detection of anomalous behavior generating an incident, a lifecycle event, or a manually executed runbook. begins with the Triggering Entity: Webhook node (labeled: SDA Alert) as an entry-point. This node Individual components that make up a runbook automation, each performing a specific function such as data queries, transformations, logic, integrations, or visualizations. also serves as a path through which the external/third-party entity Things deployed in the customer environment that are needed to run the business, such as applications, devices, interfaces, and locations. can pass relevant data and context (i.e. payload) for the runbook automation Automated procedures that are executed as the result of a trigger. Automations consist of a single entry point and a sequence of connected nodes that define the processing logic. to process.
Edit the Triggering Entity: Webhook node. Ensure the entry-point passes the appropriate HTTP-request components into the runbook (see the Output/Properties area) so the automation has access to the needed data/context.
For example, the data and context passed by an external/third-party entity through the HTTP-request may reside in the HTTP Request Body and resemble the following table:
Click to reveal the table
|
Input to Triggering Entity: Webhook node (i.e. HTTP Request Body) |
Output from Triggering Entity: Webhook node (i.e. pass-thru of: HTTP Request Body) |
|
{ |
{ |
|
"alert_id": 1, |
"alert_id": 1, |
|
"alert_name": "Low Disk Space", |
"alert_name": "Low Disk Space", |
|
"alert_event_name": "Low Disk Space", |
"alert_event_name": "Low Disk Space", |
|
"alert_timestamp": "2023-07-25T12:47:51.8-04:00", |
"alert_timestamp": "2023-07-25T12:47:51.8-04:00", |
|
"alert_timestamp_epoch": 1690303671, |
"alert_timestamp_epoch": 1690303671, |
|
"urgency": "Low", |
"urgency": "Low", |
|
"impact": "Low", |
"impact": "Low", |
|
"category": "Hardware", |
"category": "Hardware", |
|
"identifier": "C:", |
"identifier": "C:", |
|
"last_event_details": "Drive: C:\nFree MB: 499MB\nPercent Free Space: 4%", |
"last_event_details": "Drive: C:\nFree MB: 499MB\nPercent Free Space: 4%", |
|
"last_event_timestamp": "2023-07-25T12:44:51.8-04:00", |
"last_event_timestamp": "2023-07-25T12:44:51.8-04:00", |
|
"last_event_timestamp_epoch": 1690303491, |
"last_event_timestamp_epoch": 1690303491, |
|
"device_name": "Patsy_Pfaff_WKS", |
"device_name": "Patsy_Pfaff_WKS", |
|
"device_type": "Desktop", |
"device_type": "Desktop", |
|
"device_manufacturer": "Dell Inc.", |
"device_manufacturer": "Dell Inc.", |
|
"device_model": "XPS 8900", |
"device_model": "XPS 8900", |
|
"device_memory": "2GB", |
"device_memory": "2GB", |
|
"device_cpu_cores": "1", |
"device_cpu_cores": "1", |
|
"device_cpu_frequency": "3GHz to 3.5GHz", |
"device_cpu_frequency": "3GHz to 3.5GHz", |
|
"device_last_booted": "2023-07-23T12:49:51.8-04:00", |
"device_last_booted": "2023-07-23T12:49:51.8-04:00", |
|
"device_last_booted_epoch": 1690130991, |
"device_last_booted_epoch": 1690130991, |
|
"username": "patsy_pfaff", |
"username": "patsy_pfaff", |
|
"user_domain": "COMPANY", |
"user_domain": "COMPANY", |
|
"user_department": "Sales", |
"user_department": "Sales", |
|
"user_email_address": "patsy.pfaff@company.com", |
"user_email_address": "patsy.pfaff@company.com", |
|
"user_title": "Sales Engineer", |
"user_title": "Sales Engineer", |
|
"os_name": "MS Windows 10", |
"os_name": "MS Windows 10", |
|
"subnet": "172.4.0.0/16", |
"subnet": "172.4.0.0/16", |
|
"business_location": "Miami Office", |
"business_location": "Miami Office", |
|
"custom_attribute_1": "", |
"custom_attribute_1": "", |
|
"custom_attribute_2": "", |
"custom_attribute_2": "", |
|
"custom_attribute_3": "", |
"custom_attribute_3": "", |
|
"custom_attribute_4": "", |
"custom_attribute_4": "", |
|
"custom_attribute_5": "", |
"custom_attribute_5": "", |
|
"custom_attribute_6": "" |
"custom_attribute_6": "" |
|
} |
} |
The entry-point into all Runbooks An automated workflow that executes a series of steps or tasks in response to a triggered event, such as the detection of anomalous behavior generating an incident, a lifecycle event, or a manually executed runbook. is the Trigger A set of one or more indicators that have been correlated based on certain relationships, such as time, metric type, application affected, location, or network device. (i.e. Runbook Editor Triggering Entity). The Trigger includes the initial conditions (i.e. data and context) that triggered A set of one or more indicators that have been correlated based on certain relationships, such as time, metric type, application affected, location, or network device. the runbook execution.
External Trigger runbooks always employ Triggering Entity: Webhook as their Trigger.
Other Triggering Entity have predefined runbook Native Data format (e.g. Triggering Entity: Interface, Triggering Entity: Device(s), Triggering Entity: Application, and Triggering Entity: Location). However, Triggering Entity: Webhook does not have a predefined runbook Native Data format, and therefore the data/context supplied by the external/third-party entity must be converted into a runbook Native Data format.
Placement of the Trigger node on the Workspace/Canvas in the Runbook Editor
-
When creating a new Runbook, the Runbook Editor opens a blank canvas and provides guidance for what to do next, for example a pop-up that states “Every runbook needs a Trigger".
-
Drag and drop one of these Trigger nodes to the work area to start its execution.
-
Find Triggering Entity: Webhook in the palette on the left-side of the Runbook Editor and drag it onto the canvas.
See Runbook Ease of Use Customizations for methods to make the Runbooks more user readable and how to add comments to the nodes.
This runbook now has an entry-point that an authorized external/third-party entity can use to access. The next steps in this example detail the need for additional nodes to perform meaningful automation.