Playbooks

Playbooks are the facilitators for creating flexible business logic in the product. Only SOC Managers can create the playbooks.

Playbooks are used to

  • Build any kind of sequential logic in the product by stitching smaller chunks of execution blocks in the system
  • Build sequential analytics executions
  • Build logic for calling enrichment connectors sequentially and setting the results against the alert and artifact
  • Build response logic with response connectors
  • Build user interaction logic for getting user inputs for decisions

There are two types of playbooks:
1. System playbooks
System playbooks are defined within the system for executing logical tasks in sequence or in parallel. The system playbooks can be called by the scheduler, or can even be triggered on incident creation, updation. However, the system playbooks are not exposed to the users but represent the internal logic of the system. Quick Heal creates the system playbooks.

2. User playbooks

User playbooks may be created either by Seqrite Admin, or the MSSP Admin. User playbooks are visible to users/analysts of the system, and selectable at various places within the system.

Note that a user playbook is always associated with an Incident. All attributes and artifacts of that incident are visible in the playbook.

Creating Playbook

User creates a playbook when the user wants to create a new business process where a phishing alert will trigger this business process that will take multiple actions based on the inputs from the alert.

To create user playbook, follow these steps.

    1. Go to Dashboard > Playbooks. Existing playbooks if any are listed.
    2. Click Create Playbook. The Playbook Details window appears.
    3. Enter a name for the playbook.
    4. Enter the description for the playbook.
    5. Select the tags from the list. Select the corresponding check box to select the tag. A tag is used for various identification purposes. The following table shows available tags.
      Process Connection URL Email
      File Registry Module Event
      Exploit Incident User Endpoint

      or

      In the Auto Invocation section, select the following triggers, as per requirements.

      • On Incident Creation
      • On Incident Updation
    6. Enter conditions in the Condition box.
    7. Select Input Parameters from the list of the available parameters. You can also search parameters with help of the Search function. The following table shows available input parameters.
      processGUID processName processPath processMD5
      processSHA2 processCmd filePath fileMD5
      regKey regVal regValData modulePath
      moduleMD5 moduleSHA2 binProdName cpEventType
      cpDestProcess cpTargetProcess cpHollowingType cpAPIName
      nwLocalPort nwRemotePort nwRemoteIP nwURL
      nwDomainName winEventId winEventKeyword winActStr
      winMsg childName childMD5 childSHA2
      childCmdLine ehpMD5 ehpSHA2 ehpPath
      emailSender emailSubject emailURL hostName
      userName
    8. All the selected parameters appear in the boxes. You can enter the description for the parameter if required.
    9. Select the Mark this as Mandatory check box if you want to mark the input parameter mandatory for the playbook.
    10. Click Save and go to Playbook Editor. Only to save the playbook without going to the editor, click Save.
    11. In the left pane, available blocks and Minin Canvas View appear. On the canvas, drag and drop the blocks. For more information, see Blocks.
    12. Connect the blocks as per the flow of the operation.
    13. Click Save. The playbook is saved in draft mode.
    14. The Validate button is enabled. Click Validate. If the flow is validated successfully, a success message appears.
    15. The Publish Playbook button is enabled. Click Publish Playbook to publish now. You can click Publish Later button to publish the playbook later.
      The playbook is published and appears in the Published Playbooks list.

   Blocks

  1. The following blocks are available to choose from in the Playbook Editor. The Blocks are units of business logic that can be reused in playbooks. Some blocks are made available by the system, others are custom created by the users and shared in the environment. The output of a previous block become the input to the next block. All previous block outputs are visible to the subsequent block on the same execution path. The playbook can have parallel execution paths.Call External Function block – The External Function block can be used to perform data enrichment or security operations utilizing external or third-party applications or systems. A connector must be configured for a third-party external service in order to utilize the functions.When you drop Call External Function block to the canvas, the list of available external functions appears in the right pane. Select one of the following functions as per your requirement. Enter required information and click Save.Call Internal Function block – The Internal Function Block is used to call internal functions or perform data operations.

    When you drop Call Internal Function block to the canvas, the list of available internal functions appears in the right pane. Select one of the following functions as per your requirement. Enter the required information and click Save.

    Decision block – The decision block only allows the execution logic to proceed along specific paths based on the matching condition. The matching condition does not filter the input value.

    The Decision block is used to perform conditional decisions in the playbook, If a condition is met, it results in True output, and if it is not met, it results in a False output.

    When you drop the Decision block to the canvas, the Decision window appears in the right pane. Enter the required information and click Save.

    Filter block – The filter block will add filter logic that can split the execution into two logical paths based on the matching filter value on an attribute list of the Incident. The execution path will only have the matching values from the filter.

    The Filter block is used to filter input data array elements, based on conditional criteria matching.

    When you drop the Filter block to the canvas, the Filter window appears in the right pane. Enter the required information and click Save.

    Custom Function Blocks – Customized code can be written by the user in python and javascript and saved as a custom block that can be used by other users if shared.

    The Custom Block can be used to add any custom operations to the playbook.

Published Playbooks

Go to Dashboard > Playbooks.

By default, the list of published playbooks appears.

The count of published playbooks appears.

On this page, you can do the following actions

  • Copy
  • Export
  • Move to Draft

Copying Playbook

  1. Select the Playbook that you want to copy.
  2. Click the vertical ellipsis of the selected playbook. The corresponding commands for Edit, Copy, Export, and Delete are displayed.
  3. Click the Copy command. The Playbook Details window appears with information. The name of Playbook is copy of <playbook name>. You can edit the name.
  4. Click Save and go to Playbook Editor.

Exporting Playbook

  1. Select the Playbook that you want to export.
  2. Click the vertical ellipsis of the selected playbook. The corresponding commands for Edit, Copy, Export, and Delete are displayed.
  3. Click the Export command. The Export Playbook dialog appears.
  4. Enter the destination tenant ID. If you do not know the tenant ID, contact the Administrator.

Note: After exporting, the playbooks are listed in the draft playbooks of the given tenant.

Moving Published playbooks to Drafts

  1. Select the Playbook that you want to move to draft.
  2. Click the vertical ellipsis of the selected playbook. The corresponding commands for Edit, Copy, Export, and Move to Drafts are displayed.
  3. Click the Move to Drafts

The published playbook is moved to the Drafts list.

Draft Playbooks

The playbooks which are saved, and the flow is not validated are the draft playbooks.

Go to Dashboard > Playbooks.

By default, the list of published playbooks appears.

The count of draft playbooks appears.

On this page you can do the following actions

  • Edit
  • Copy
  • Export
  • Delete

Editing Playbook

  1. Select the Playbook that you want to edit.
  2. Click the vertical ellipsis of the selected playbook. The corresponding commands for Edit, Copy, Export, and Delete are displayed.
  3. Click the Edit command. The Playbook Details window appears with information. Edit the information.
  4. Click Save and go to Playbook Editor.

Copying Playbook

  1. Select the Playbook that you want to copy.
  2. Click the vertical ellipsis of the selected playbook. The corresponding commands for Edit, Copy, Export, and Delete are displayed.
  3. Click the Copy command.  The Playbook Details window appears with information. The name of Playbook is copy of <playbook name>. You can edit the name.
  4. Click Save and go to Playbook Editor.

Deleting Playbook

  1. Select the Playbook that you want to delete.
  2. Click the vertical ellipsis of the selected playbook. The corresponding commands for Edit, Copy, Export, and Delete are displayed.
  3. Click the Delete command. 
  4. Click Delete on the confirmation dialog box. The Playbook is deleted.

Exporting Playbook

  1. Select the Playbook that you want to export.
  2. Click the vertical ellipsis of the selected playbook. The corresponding commands for Edit, Copy, Export, and Delete are displayed.
  3. Click the Export command. The Export Playbook dialog appears.
  4. Enter the destination tenant ID. If you do not know the tenant ID, contact Administrator.

Note: After exporting, the playbooks are listed in draft playbooks of the given tenant.

Viewing playbooks

You can view the playbooks created earlier by the administrator. You can sort these playbooks by created on and updated on timestamp. You can also use the filter to view the playbooks as per the criterion. You can choose to view the playbooks created by you, or by others as required.

Go to Dashboard > Playbooks. Existing playbooks if any are listed.

  • To filter playbooks as per your requirements, enter the criterion in the filter box, and add more conditions as required. The displayed playbooks list is automatically updated as per the set criteria.
  • To sort the playbooks by created on, click the corresponding icon at the top of the created on column. The displayed list is sorted accordingly as per the most recent or the oldest.
  • To sort the rules by updated on, click the corresponding icon at the top of the updated on column. The displayed list is sorted accordingly as per the most recent or the oldest.
  • To view rules created exclusively by you, enable My Playbooks toggle switch. The displayed list is sorted accordingly. By default, the list displays playbooks created by all.
  • To view playbooks created by others, disable My Playbooks toggle switch. The displayed list is sorted accordingly.
Field Description
PLAYBOOK NAME Displays the name of the playbook.
TRIGGERS Displays the event due to which the playbooks is triggered
CREATED ON Displays the date and time when the playbook was created. (sort)
UPDATED ON Displays the date and time when the playbook was created. (sort)
CREATED BY Displays name of user who created the playbook
TAGS Displays tag
PLAYBOOK DESCRIPTION Displays the description of the playbook.

Playbook Actions

Depending upon the selected tags or auto invocation option, while creating the playbook, the playbook action will appear on the respective tag or incident.

The Playbook actions are

  • Run
  • View Old Results
  • View Playbook output

For more information, refer to Incidents > Playbook Actions.