The following places in the Chronicle SOAR Platform can provide you with greater visibility into the Playbooks execution:

  • Playbook Monitoring on the Playbooks screen: The Monitoring feature allows customers to use automation to its full capacity. This interface is displayed for each individual Playbook.
  • Playbook side drawer in the Cases screen: The summary feature is to minimize the time that an analyst needs to get decisions when handling a case. This interface is displayed as a side drawer for each running Playbook on the Cases screen.

Playbook Monitoring

The Monitoring side drawer is available for each Playbook in the Playbooks screen. 

You can see the screen by clicking on icon at the top right of the Playbooks screen.

Note: The Playbook simulator needs to be turned off to see the Playbook Monitoring side drawer.

The Playbook Monitoring screen contains the following information:

  • Runs: How many times the Playbook/Block ran during the defined time period. Thousands will be represented by a K. Millions will be represented by an M.
  • Redundant: Number of times the Playbook/Block didn’t run in the predefined time period (because it exceeded the maximum number of playbooks (3) that can be automatically added to an alert). If the number is larger than 1 – this could be a good indication to tweak the Playbook – maybe by using Blocks or other logical steps
  • Closed Alerts: Percentage of alerts that were closed by this Playbook.
  • Average Run Time: Average amount of time that this Playbook took to run. This statistic can prove useful in identifying identify weak points in playbooks – manual actions, frequently-errored steps etc.
  • Playbook Runs Status Pie Chart: Shows four options. Options are finished successfully, failed, waiting for user action, or terminated. This chart shows you playbook statuses according to the defined time period and is cumulative. Each option is clickable and will take you to a Search results page displaying the cases that this playbook with the specific status was attached to.
  • Playbook Trends Line Chart: Shows completed runs, failed runs, terminated runs and a total of runs (both failed and successful). Hover your mouse over each dot on the line to see a pop-up showing more information. This chart can come in useful if a new playbook that you recently created is running as you’ve expected, or if an existing playbook that you recently improved was actually improved as you’ve expected or if more enhancements are needed in order to meet your expectations. For example, let’s say you see that the Playbook didn’t run twenty times over the last month, you might then tweak the trigger logic to make the Playbook more selective. You could then look at the Trends chart to check that the Playbook ran successfully from that time onwards.
  • Environments Bar Chart: Displays all the environments that this Playbook ran in. Each section is clickable and will take you to a Search results page.
     


Playbook Summary

Navigate to Case > Alert > Playbooks. Click on the hyperlinked Playbook name on the left. The Playbook summary side drawer opens. This shows the following information:

  • Playbook Name and Status
  • Pending Actions - Waiting for User Input: If the Playbook is waiting for the security engineer to do something, this will be displayed prominently at the top of the Playbook summary. In addition, a Push notification will be sent to the relevant user letting them know that the Playbook is waiting for them.
  • Time and Length of Playbook Run
  • Integrations: list of Integrations being used by this Playbook. When clicking on an integration, the specific step will be marked in the playbook viewer so that the analyst can easily find the step that they wants to focus on.
  • Playbook Flow: each step that was run with its status and step result.
  • Errors: any errors will be listed here. If an error caused the playbook to stop it will be highlighted at the top of the summary, but if it was skipped , it will be at the bottom. Each error is clickable and will direct you to the logs page. You can also choose to rerun the Action or Playbook from here.