Overview

In this article you will learn how to create your first automation using the actions you created in the My First Action. The playbook we will create is a basic phishing use case where we will extract the domain details from the URL which is part of an alert. We will then enrich that entity, add an insight with the Domain country, check if the country is in a custom list and then run an IF condition on the check if in custom list to determine if the case requires further investigation or not.

Create your first Playbook

  1. In the IDE module make sure that the actions you created as part of the “WHOIS XML API” integration are enabled using the green toggle. Once the actions are enabled, they will only then be available to use in the playbook designer.
  2. For your First Automation Playbook we will also create a custom list of the countries that are OECD countries and use this custom list to determine if the country of the Domain requires further investigation of the case or not. Navigate to the Settings module in the top bar, click on the Environments tab and then on the Custom lists. You can also customize your own custom list using the plus icon.
  3. To create your First Automation playbook, navigate to the Playbook Designer and click on the icon in the left part of the playbook queue.
  4. In the Create New dialog box choose the “Playbook” radio button, select a folder the playbook will be presented in and define the environment.
  5. Provide a name for the playbook next to the playbook toggle and begin to customize the playbook.

    To import the premade playbook go to menu icon in the top left part of the playbook designer and select Import from the drop-down menu. My First Automation Playbook
  6. Each playbook starts with the trigger that will trigger the playbook. Navigate to the Triggers tab and drag the “All” Trigger to the first step of the playbook. The playbook will trigger on every alert ingested into Chronicle SOAR.
  7. We will now begin to form the playbook with the actions we created as part of the “WHOIS XML API” Integration. Navigate to the Actions tab and click on the “WHOIS XML API” drop down. The actions you created will be presented beneath the integration. If the actions are not visible, make sure they are enabled in the IDE module and saved.
  8. The First action we will drag into the playbook after the trigger is the “Get Domain Details”. Lets customize the action and define the scope we would like the action to run on. As presented in the screenshot below we have chosen to run the action on all the Entities that are URLs and for the Domain name field we have used the placeholder “Entity Identifier”. In order to insert a placeholder click on the placeholder icon and search for Entity.Identifier in the search bar. As mentioned previously, this action will connect to the “WHOIS” site, extract the details of the Domain and present them in a JSON format. The parameter we defined for the action Check Availability will check if the domain is available or not.
  9. For the second action in the playbook, drag the “Enrich Entities” action and customize the action to run on “All URLs”. As mentioned in the “My First Action”, we created the action to run on a specific entity scope therefor do not need to define the field such as Domain name as done in the previous action.
  10. For the next action we will use the “Add Entity Insight” action which is part of the Chronicle SOAR Integration. For the Entity scope we will choose the “All URLs” as done in the previous actions in the playbook and in the Insight itself we will use the Chronicle SOAR Expression builder to extract the specific field in the JSON – Country. In order to open the expression builder, click on the placeholder icon, choose the playbook dropdown and select the icon presented next to WHOIS XML API_Get Domain Details_1.JsonResult

    The JSON Sample presented in the Expression builder is the JSON example we inserted in the IDE as part of the “My First Action". In order to extract the Country field from the JSON we will click on the “Country” field in the JSON. In order to test the placeholder click on the Run icon and view the result under the “Results” field as shown in the screenshot below.
  11. Next, we will create an Entity from the country related to the domain in order to run the “Is in custom list” action on that entity in the next step. From the Chronicle SOAR Integration drag the “Create Entity” Action into the playbook and configure the action to run on “All URLs” and use the expression builder to insert the country placeholder in the Entity Identifies field. For the Entity Type choose the Generic Entity type and click on Save.
  12. For the next action in the playbook we will add the “Is in Custom List” action which will run on all generic entities (the generic entity we created previously) and in the Category we will add the category we configured for the custom list we created as presented in the screenshot below.
  13. Now we will add the IF condition in the playbook to determine if the country related to the Domain name requires the Analyst to further investigate the case. The 1st branch will check if the script result for the “Is in Custom list” returned a false result and the Else branch will go to the opposite result as shown in the screenshot.
  14. Once we have added the “IF Condition” action, 2 branches will be created right after it based on the number of branches you defined in the flow action.
  15. Lets start by customizing the 1st branch. If the result for the “Check in custom list” returns a false result, it will lead to this branch. If the result is false this means that the country related to the domain is not in the custom list we created for OECD countries, leading us to want to further investigate this case. For the first action in this branch we will drag a “Case Tag” action from the Chronicle SOAR Integration and add the tag “Not in OECD countries”.
  16. The next action will be to assign the case to a higher Tier to further investigate this case. In order to do this we will drag the “Assign Case” action to the playbook and choose @Tier2 as the Assigned User.
  17. The last action of this branch will be “Chronicle SOAR Change Priority” action in order to change the priority to “High” as shown in the screenshot.
  18. Once we have finished with the top branch we will customize the Else branch. As this branch indicates that the country of the domain is in the OECD countries we have decided that it will not require any further investigation. We will first add a tag as done in the 1st branch with a tag “In OECD countries”.
    We will then add an additional action that will close the case. All the actions that we have added until now into the playbook have been configured on Automatic mode. As closing a case is a sensitive action we have configured this action to run manually in the Settings section of the Close Case action and will require the response of the analyst to execute the action.
In the Parameters section of the Close Case action, add the Reason, Root Cause and Comment and save the playbook.

You have now finished customizing your First Automation. In order to see the execution of the playbook navigate to the cases screen, simulate the “Phishing Email” Case and follow the playbook running on the alert and the result of each action in the playbook.