Creating Playbook

Print Friendly, PDF & Email

User creates a playbook when the user wants to create a new business process where a phishing alert will trigger this business process that will take multiple actions based on the inputs from the alert.

To create user playbook, follow these steps.

    1. Go to Dashboard > Playbooks. Existing playbooks if any are listed.
    2. Click Create Playbook. The Playbook Details window appears.
    3. Enter a name for the playbook.
    4. Enter the description for the playbook.
    5. Select the tags from the list. Select the corresponding check box to select the tag. A tag is used for various identification purposes. The following table shows available tags.
      Process Connection URL Email
      File Registry Module Event
      Exploit Incident User Endpoint


      In the Auto Invocation section, select the following triggers, as per requirements.

      • On Incident Creation
      • On Incident Updation
    6. Enter conditions in the Condition box.
    7. Select Input Parameters from the list of the available parameters. You can also search parameters with help of the Search function. The following table shows available input parameters.
      processGUID processName processPath processMD5
      processSHA2 processCmd filePath fileMD5
      regKey regVal regValData modulePath
      moduleMD5 moduleSHA2 binProdName cpEventType
      cpDestProcess cpTargetProcess cpHollowingType cpAPIName
      nwLocalPort nwRemotePort nwRemoteIP nwURL
      nwDomainName winEventId winEventKeyword winActStr
      winMsg childName childMD5 childSHA2
      childCmdLine ehpMD5 ehpSHA2 ehpPath
      emailSender emailSubject emailURL hostName
    8. All the selected parameters appear in the boxes. You can enter the description for the parameter if required.
    9. Select the Mark this as Mandatory check box if you want to mark the input parameter mandatory for the playbook.
    10. Click Save and go to Playbook Editor. Only to save the playbook without going to the editor, click Save.
    11. In the left pane, available blocks and Minin Canvas View appear. On the canvas, drag and drop the blocks. For more information, see Blocks.
    12. Connect the blocks as per the flow of the operation.
    13. Click Save. The playbook is saved in draft mode.
    14. The Validate button is enabled. Click Validate. If the flow is validated successfully, a success message appears.
    15. The Publish Playbook button is enabled. Click Publish Playbook to publish now. You can click Publish Later button to publish the playbook later.
      The playbook is published and appears in the Published Playbooks list.


    The following blocks are available to choose from in the Playbook Editor. The Blocks are units of business logic that can be reused in playbooks. Some blocks are made available by the system, others are custom created by the users and shared in the environment. The output of a previous block become the input to the next block. All previous block outputs are visible to the subsequent block on the same execution path. The playbook can have parallel execution paths.

    Call External Function block – The External Function block can be used to perform data enrichment or security operations utilizing external or third-party applications or systems. A connector must be configured for a third-party external service in order to utilize the functions.When you drop Call External Function block to the canvas, the list of available external functions appears in the right pane. Select one of the following functions as per your requirement. Enter required information and click Save.

    Call Internal Function block – The Internal Function Block is used to call internal functions or perform data operations.
    When you drop Call Internal Function block to the canvas, the list of available internal functions appears in the right pane. Select one of the following functions as per your requirement. Enter the required information and click Save.

    Decision block – The decision block only allows the execution logic to proceed along specific paths based on the matching condition. The matching condition does not filter the input value.

    The Decision block is used to perform conditional decisions in the playbook, If a condition is met, it results in True output, and if it is not met, it results in a False output.

    When you drop the Decision block to the canvas, the Decision window appears in the right pane. Enter the required information and click Save.

    The Decision block can be the first function in the playbook.

    Filter block – The filter block will add filter logic that can split the execution into two logical paths based on the matching filter value on an attribute list of the Incident. The execution path will only have the matching values from the filter.

    The Filter block is used to filter input data array elements, based on conditional criteria matching.

    When you drop the Filter block to the canvas, the Filter window appears in the right pane. Enter the required information and click Save.

    Custom Function Blocks – Customized code can be written by the user in python and javascript and saved as a custom block that can be used by other users if shared.

    The Custom Block can be used to add any custom operations to the playbook.

Was this page helpful?