The steps to create a sample playbook are presented below to elaborate on the functions of playbook components.
Start
The Start component exists on the canvas by default. This component does not require any action configuration. Start by adding a new action on the canvas and connecting the Start component with the new action.
Action
Drag the Action component from the left pane to the canvas. Clicking on the Action displays a slide-in form, allowing you to select an App and one of its Actions. Click Add after you are done selecting your Action. You will observe the name of the chosen action appears in the Action component’s body along with its type in the dark header.
In the example provided below, the name of the chosen application is WhoisXML and the chosen action is GET URL WHO INFO
To connect the Start component with the newly added Action, mouse over on the Start component to see the connecting points, click on one of the connecting points and drag your mouse to one of the connecting points of your Action and release the mouse button.
Similarly, add more actions to the canvas and join them together.
Filter
Drag the Filter component from the left pane to the canvas. The filter component is used to supply the output of one action as an input of the second action.
Decision
Drag the Decision component from the left pane to the canvas. By using the decision component, you can take certain values from the actions connected to the decision and decide the flow of the playbook. For example, in the below example, we intend to use the Decision component to extract the “Location” field from “GET IP INFO” and “GET IP REPUTATION” actions, and check if the location is Russia. If the condition returns True then take certain actions, otherwise take alternate actions i.e. End the playbook execution.
SIRP Local Actions
The SIRP component gives you access to internal actions used to perform container-related actions. The SIRP app currently supports the following actions:
|
|
Drag the SIRP component from the left pane to the canvas. Choose one of the available options. For example, EMAIL NOTIFICATION will allow you to define the Subject and Message for an email that should be sent to relevant personnel if the Location of the IP address is found to be “Russia”.
Similarly, you could assign tasks to an analyst, change the disposition of the alert to investigation or even change priority based on the outcome of prior actions and decisions in the playbook.
These actions will be reflected in the playbook under the SIRP logo. SIRP also allows you to edit these actions specific to your organization.
For example, our default action drop-down menu suggests “assign_task” but can be changed to any text such as “assigned task to (analyst name).”
End
Lastly, connect the last actions in the playbook with the End component to terminate the execution of the playbook.
After making all the necessary changes to the playbook, click on the Save button. The playbook will be saved and made available for automatic or on-demand execution.