Skip to main content
All CollectionsUser Guide
Automation Playground
Automation Playground
Ahmad avatar
Written by Ahmad
Updated over 7 months ago

Automation Playground is the area that:

  • Provides you with a consolidated view of all the automated and on-demand actions executed in SIRP.

  • Allows you to view the output of any action.

  • Provides you with a central view of all the artifacts in the system.

  • Allows you to execute new on-demand Actions without the need to go into (or associate your action’s output with) any container. You can execute any action on any existing non-existent artifact and view its output in the same view.

Table of Contents

Executed Actions

Executing a new Action

Artifacts

Adding Artifacts

Artifact Import Functionality in Automation Playground

Approvals

Click on the View icon under the Actions column to view the output of the executed action and click on the Delete icon to delete the execution result.

Executed Actions

Overview

Upon accessing the "Executed Actions" page, the following columns are visible:

  • ACTIONS: Displays a dropdown list of actions that can be taken on that record. The actions are visible when the ellipsis

Dropdown Elipsis

Under the "ACTIONS" column, a dropdown button is available, which offers thee following options:

  • View: Opens an "Action Output" pop-up window to display the output of the executed action.

  • Delete: Prompts a confirmation pop-up; upon confirmation, the selected action record is permanently deleted.

  • Mark as Pending: Prompts a confirmation pop-up; upon confirmation, changes the status of the action's record from 'complete' to 'pending', subsequently re-executing the action.

App Error Logs

  • Execute an action within the Automation Playground.

  • Once executed, the action will be displayed in the Executed Actions table.

  • From the action's dropdown menu, select View.

  • This will take you to the Raw Output, then click the eye icon to access the App Logs

  • Alternatively, you can execute an action directly on an artifact within the Automation Playground and then view error in App Logs.

Executing a New Action

To execute a new action, click on the “Execute New Action” button. Perform the selections in sequence as explained below:

Application

Click on the dropdown list and select one of the available applications that you want to execute an action on.

Action

Choose one of the available actions within the selected App. For example, if you chose MaxMin from the Application dropdown list, the displayed Action will include:

  • get_ip_geolocation

Input

Enter the value as the input of your action.

Global Action Execution

The Global Action Execution feature in SIRP (Security Incident Response Platform) enables users to execute actions provided by any application at any time and place within the SIRP environment. This feature streamlines the execution process, saving time and effort for users.

Accessing the Feature

To access the Global Action Execution feature:

1. Navigate to the SIRP main menu.

2. Locate the SIRP icon at the bottom of the main menu.

3. Click on the SIRP icon to reveal the options menu.

Executing a new Action

1. Upon clicking the SIRP icon, a drawer titled "Execute New Action" will appear from the bottom of the screen.

2. Within this drawer, there are several inter-dependent fields:

  • Application: Select the desired application from which to execute an action.

  • Action: Upon selecting an application, the available actions associated with that application will populate.

  • Config (optional): If configuration is required for the selected action or application, a configuration field will appear.

3. After filling out the necessary fields, the "Input" field will appear.

  • Input: Provide the input value required for the selected action.

  • Once the input value is provided, the "Execute" button will become available.

Click on the "Execute" button to execute the action successfully.

Adding to Container (optional)

1. When adding an input value, an additional checkbox button labeled "Add to Container" will appear beside the "Execute" button.

2. Click on the "Add to Container" checkbox to enable this feature.

3. A new field titled "Container Type" will appear.

4. Select the desired container type from the available options.

5. Upon selecting a container type, the next dependent field, "Container," will appear.

6. Choose the specific container within the selected container type.

7. Click on the "Execute" button to execute the action and add it to the specified container within SIRP.

Artifacts

Artifacts are actionable intelligence or evidence collected before or during an investigation. Artifacts are also known as IOCs (Indicators of Compromise) Some examples of artifacts are IP addresses, hashes, usernames, email addresses, email headers, etc.

This section displays a list of all the artifacts added in SIRP. To access the artifacts, navigate to the Main Menu, select Automation Playground, and click on Artifacts.

Accessing the Artifacts Tab

The Automation Playground offers an Artifacts tab that facilitates the management of various items associated with applications and their respective actions.

Column Description

Within the Artifacts tab, there exists a column titled "ACTIONS." This column provides users with specific options that can be performed on each artifact.

Available Actions

  • Play: Upon clicking the Action button option under the Actions column, a dropdown menu will appear, we will select “Play”. Upon clicking on “play” a slider window titled "Execute Action” will appear. Users are required to specify the application and action they wish to perform. Upon filling in the necessary details, the action is executed by clicking the "Execute" button within this slider window. The specific action will be executed on the selected Aritifacts.

  • Edit: By selecting the Edit option in the Actions dropdown, a slider window labeled "Edit Artifact" will be displayed. This window enables users to modify the validity status of the artifact.

  • Delete: Opting for the Delete action within the dropdown triggers a pop-up window, seeking confirmation about the intended deletion of the artifact. Upon selecting "OK" within the confirmation pop-up, the targeted artifact will be permanently deleted from the system.

Adding Artifacts

You can add a new artifact by clicking on the Add button provided at the top of the page.

Select the appropriate artifact Type which is used to identify supported actions. Enter the Artifact (value). Select the Validity which signifies if the artifact is still valid (malicious) or not. Then click Create. The newly added artifact will appear in the Artifacts list.

Click on the play icon under the Actions column to execute a new action against the artifact.

Artifact Import Functionality in Automation Playground

The Artifact Import feature within the Automation Playground allows the user to various types of artifacts into the SIRP. This documentation outlines the step-by-step procedure for utilizing this feature.

Artifact Import Workflow

Upon clicking the "Import" button, a new side window will appear, providing a structured workflow for artifact import. The process unfolds as follows:

  1. Artifact Type Selection: The side window presents an interface to select the type of artifact to be imported. Users can choose from a predefined set of artifact types, enabling appropriate categorization for the incoming data.

  2. Artifact Validity Verification: Users are presented with validation checks to ensure the integrity and correctness of the artifact being imported. This step involves checks to verify the validity and compliance of the artifact with the SIRP standards.

  3. File Upload: Users are allowed to upload a file containing the artifacts intended for import. This file should adhere to the specified format and requirements outlined by the system to ensure successful importation.

  4. Create and Import: After selecting the artifact type, verifying its validity, and uploading the file, users can proceed by clicking the "Create" button. This action triggers the importation process, transferring the artifacts into the SIRP for further processing and analysis.

Approvals

The Automation Playground hosts an "Approvals" tab, which, upon selection, redirects the user to a page titled "Application Workflow."

Details in the Application Workflow Page

The "Application Workflow" page contains comprehensive details about various actions and their associated attributes:

  • Details Presented:

    • Action Performed

    • Application Used

    • Execution Method

    • Status of the Action

    • Container Type

    • Updated By

    • Update Date and Time

    • Initiated Date and Time

Column: Actions

Within the "Application Workflow" page, there is a column titled "Actions." This column offers users the capability to either approve or decline a specific action.

  • Approve Action:

    • Users can approve an action by selecting the approval option available in the "Actions" column.

  • Decline Action:

    • Similarly, users can decline an action by selecting the respective option within the "Actions" column.

Bulk Approval and Bulk Decline

  • Bulk Approve:

    • The "Bulk Approve" feature allows users to select and approve multiple actions simultaneously. Users can choose multiple actions within the "Application Workflow" and approve them collectively.

  • Bulk Decline:

    • Conversely, the "Bulk Decline" functionality permits users to select and decline multiple actions at once within the "Application Workflow."

These functionalities within the "Application Workflow" in the Automation Playground streamline the process of managing and handling multiple actions, providing efficiency in approving or declining actions in bulk or individually.

Did this answer your question?