Quick Summary

Playbooks are step by step workflows that can run automatically or guide Chronicle SOAR users through a process. Playbooks are used for SOC, NOC and Incident Response use cases (e.g. gather enrichment, complete tasks etc.) and can be triggered manually or automatically.

Overview

Playbooks allow Chronicle SOAR users to create workflows based on SOC, NOC and Incident Response use cases to standardize and automate security tasks.
Playbooks are triggered by different types of alerts – these Triggers are logical conditions that tell the playbook when to run.
The workflow is created with Actions that are able to perform tasks in Chronicle SOAR and integrated 3rd party products.
In addition, Chronicle SOAR provides multiple Flow components to help with making decisions during the workflow (with or without human intervention).
Chronicle SOAR also provides Playbook Blocks which are reusable playbooks that can be embedded in other playbooks. Playbooks Blocks can change their behavior based on execution context.

Example – Email Playbook

Let’s create a playbook for the Email case.

  1. Navigate to the Playbooks tab and click the icon  to choose a Playbook.
  2. Select the required folder and default environment and click on Create.
  3. Drag a Trigger into the trigger box. For this example we will use the ‘Product Name’ trigger.
  4. Click on the trigger you added to configure it.
  5. Change the operator in the dropdown to Contains, enter Mail as the parameter (that means the Playbook will run on every alert that contains the word Mail in its DeviceProduct field), and then click Save. 
  6. Switch to the Actions tab and drag the Get Similar Cases action under the Siemplify integration.
  7. Click the action to configure the parameters. Make sure to select Shared Instances in the Configure Instance field. These will be considered when the playbook looks for similar cases during run time. Click Save.
  8. Switch to the Flow tab and drag a Previous Action Condition to the last step.
  9. Set the condition to go to branch 1 by selecting ‘Siemplify_Get Similar Cases_1.SimilarCasesIds’ on the left side and select the ‘Not Empty’ operator. Click Save. 
  10. Switch to the Actions tab, select and drag the Siemplify > Assign Case to branch number 1 and select yourself.
  11. Drag the Siemplify > Close Alert action to the Else branch.
  12. Enable the playbook, name it and save it.
  13. Simulate a case from the simulation dialog in the cases module to see this playbook running on a alert.