Create a Quick Action (Admin)

The Quick Actions widget lets you create predefined actions that analysts can execute directly within cases and alerts. This widget can be added to the default case view, default alert view, and customized alert views within playbooks.

Predefining parameters for Quick Actions is optional. If you predefine them, analysts can review and edit them before execution. If you leave the parameters blank, analysts will need to fill them in when executing the action.

If an integration is removed after a Quick Action is configured, the corresponding Quick Action button is hidden, and the widget is marked in the widget configuration view to indicate a missing integration.

Refer to the following documents for information on how to add and set up the Quick Actions widget:

• Define default case view (Admin)
• Define default alert view (Admin)
• Define customized alert views from playbook designer

Use Case: Configure Quick Action for Malicious File Investigation

This use case outlines the steps for defining a Quick Action to let analysts quickly investigate potentially malicious files within a case.

1. Go to SOAR Settings > Case Data > Views.
2. Select Default Case View.
3. Select the General tab.
4. Drag the Quick Actions widget into the Default Case View pane.
5. Click settings Configuration.
6. In the Quick Actions side drawer, enter File Investigation for the widget title.
7. For the widget description, enter Quickly scan file hashes.
8. Optional: choose a widget width.
9. Click Advanced Settings.
10. In the Conditions section, define the criteria for displaying the widget. To show the widget only when a case is tagged with malicious-file, use the condition Case.Tags contains malicious-file.
11. In the Text section, you can provide instructions or context for analysts directly within the widget. For this use case, add the following text: Use the 'Scan Hash' button to check suspicious files.
12. In the Buttons section, click + Add New Button to create a new Quick Action. You can add up to six buttons, each corresponding to a different Quick Action.
13. In the Add Button dialog that appears, configure the Quick Action (Scan Hash):
    • Name: Scan Hash
    • Button Color: Choose a color.
    • Action: Select Scan Hash from the VirusTotal section in the Action list.
    • Optional: choose the relevant Instance for VirusTotal.
    • Optional: in the Parameters section, define the Hash parameter:
    • Hash: [Case.FileHash]
14. Click Close in the Add Button dialog.
15. Click Save in the Quick Actions side drawer.

Need more help? Get answers from Community members and Google SecOps professionals.