The steps to create a sample playbook are presented below to elaborate on all the actions, functions used when creating a playbook.

The Start node exists on the canvas by default. This component does not require any action configuration. Begin by adding a new action on the canvas and connecting the Start component with the new action.

Drag the Action node from the left pane to the canvas. Clicking on the Action displays a slide-in form, that allows you to select an App and one of its Actions. Click Add after you are done selecting your Action. You will observe the name of the chosen action appear in the Action node body along with its type in the dark header.

In the example provided below, the name of the chosen application is WhoisXML and the chosen action is GET URL WHO INFO

To connect the Start node with the newly added Action, mouse over on the Start node to see the connecting points, click on one of the connecting points drag your mouse to one of the connecting points of your Action, and release the mouse button.

Similarly, add more actions to the canvas and join them together.

Drag the Filter component from the left pane to the canvas. The filter node is used to supply the output of one action as an input of the second action.

Drag the Decision node from the left pane to the canvas. By using the Decision node, you can take field values from the actions connected to the decision and decide the flow of the playbook. For example, in the bottom example, we intend to use the Decision node to extract the “Location” field from “GET IP INFO” and “GET IP REPUTATION” actions, and check if the location is Russia. If the condition returns True then take certain actions, otherwise take alternate actions i.e. End the playbook execution.

The SIRP node gives you access to internal actions used to perform container-related actions. The SIRP app currently supports the following actions:

Drag the SIRP node from the left pane to the canvas. Choose one of the available options. For example, you could assign tasks to an analyst, change the disposition of the alert to the investigation, or even change priority based on the outcome of prior actions and decisions in the playbook.

This SIRP option will allow you to define the Subject and Message for an email that should be sent to relevant personnel if a certain condition (Decision) returns True.

When sending an Email Notification, you also have the option to attach the entire content of the Container in the email as a PDF attachment.

Click on the "Send Container details as PDF attachment" option if you want to send the PDF attachment with the email notification

Interconnect Actions and Decision node to create a flow.

You can also give each Action a custom name of your liking. For example, the default action name could be "Assign Task" but you can change the title e.g. “Assign task to (analyst name).”

Lastly, connect the last action(s) in the Playbook with the End node to terminate the execution of the playbook.

After making all the necessary changes to the playbook, click on the Save button. The playbook will be saved and made available for automatic or on-demand execution.

Note: When creating a playbook, all nodes from start to end need to be interconnected; if this is not done, playbook execution will fail.