The steps to create a sample playbook is presented below to elaborate on the functions of playbook components.
The Start component exists on the canvas by default. This component does not require any action configuration. Start by adding a new action on the canvas and connecting Start component with the new action.
Drag the Action component from the left pane to the canvas. Clicking on the Action displays a slide-in form, allowing you to select an App and one of its Actions. Click Add after you are done selecting your Action. You will observe the name of the chosen action appears in the Action component’s body along with its type in the dark header.
In the example provided below, the name of the chosen application is WhoisXML and the chosen action is get_url_whois_info.
To connect the Start component with the newly added Action, mouse-over on the Start component to see the connecting points, click on one of the connecting points and drag your mouse to one of the connecting points of your Action and release the mouse button.
Similarly, add more actions to the canvas and join them together.
Drag the Filter component from the left pane to the canvas. The filter component is used to supply output of one action as an input of second action.
Drag the Decision component from the left pane to the canvas. By using the decision component, you can take certain values from the actions connected to the decision and decide the flow of the playbook. For example, in the below example, we intend to use the Decision component to extract the “Location” field from “get_ip_info” and “get_ip_reputation” actions, and check if the location is Russia. If the condition returns True then take certain actions, otherwise take alternate actions i.e. End the playbook execution.
SIRP Local Actions
SIRP component gives you access to internal actions used to perform container-related actions. SIRP app currently supports following actions:
Drag the SIRP component from the left pane to the canvas. Choose one of the available options. For example send_email_alerts will allow you to define Subject and Message for an email that should be sent to relevant personnel if Location of the IP address is found to be “Russia”.
Similarly, you could assign tasks to an analyst, change disposition of the alert to investigation or even change priority based on the outcome of prior actions and decisions in the playbook.
These actions will be reflected in the playbook under SIRP logo. SIRP also allows you to edit these actions specific to your organization.
For example, our default action drop-down menu suggests “assign_task” but can be changed to any text such as “assigned task to (analyst name).”
Lastly, connect the last actions in the playbook with the End component to terminate the execution of the playbook.
After making all the necessary changes to the playbook, click on the Save button. The playbook will be saved and made available for automatic or on-demand execution.