Explore Playbooks in V1 mode (Advanced Mode)

LogicHub (LH) Playbook is a workflow that can be automated. Advanced Mode provides direct control over all the details of the LQL code.

What You'll Learn

  • How to Create Playbooks in Advanced Mode?
  • How to Edit a Playbook in Advanced Mode?
  • How to Manage Playbooks in Advanced Mode?
    • Elaborates on how to use the individual icons in the top bar menu, edit the respective Nodes in the playbook and also get the output as .csv.

Advanced Mode provides all the functionality needed to build any playbook.

👍

Prerequisites

To create or edit playbooks, a user must be in a group that has Playbook permission. For more information, see Manage Users.

You can access and use Advanced Mode in either of these ways:

  • Build your playbook completely in Advanced Mode.
    (or)
  • Build your playbook in Easy Mode, then switch to Advanced Mode if needed for any functionality that isn't available in Easy Mode. You can switch back and forth between modes as needed.

👍

Switch between Easy Mode and Advanced Mode

While editing a playbook, you can switch between Easy Mode and Advanced Mode.

Switch from Easy Mode to Advanced Mode
From the Easy Mode editor, click the More icon (...) in the upper right corner and select Advanced Mode.

Switch from Advanced Mode to Easy Mode
From the Advanced Mode editor, click the More icon (...) in the upper right corner and select Edit in Easy Mode.

Create Playbook in Advanced Mode:

  1. Click New Playbook from the left navigation or navigate to My Library and click on Playbooks.
  • Clicking on New Playbook gives you an option to click on a New Blank Playbook or choose from a template.
  • Clicking on My Library > Playbooks gives you an option to click New on the upper-right corner or open an existing Playbook from the list of Playbooks.

🚧

Information

By default, LH playbooks open in Easy Mode.

To change the default mode, navigate to User Profile in the left navigation pane and under the Preferences drop-down menu > PLAYBOOK EDITOR use the toggle option to activate or deactivate the Open playbooks in Advanced mode by default.

1600
  1. Assign a name to the flow and click Submit.
    The flow designer opens with a start step added.

👍

Information

You can start a new playbook from a blank template or a template with content. The difference is that a blank template doesn’t have any defined steps, whereas a template with content has one or more predefined steps that you can edit and add to.

  1. All playbooks rely on data coming in. The most common way to ingest data is with event types. (If you want to ingest data using a step, such as a computation step, skip this step.)
  • Click the Source icon in the top icon bar. Select one or more event types. If you don't see the event type you want, click Create a new Event Type to add a new one.
  • Click Add to add the event type step to your playbook.
  1. Use the date/time controls at the top to set a date/time range for the playbook data, and select a time zone from the dropdown list. Choose a range that is just wide enough for you to see data, but not so wide that you'll need to wait for query results. Depending on your data, you might need to adjust the interval to display data.

If you change the date when viewing data, the data you’re viewing updates automatically. By default, it will be 15 minutes.
5. Click the event type box to add details. The event type box shifts to the left panel and the settings show on the right. The step that you're focusing on is highlighted in yellow.

1600

The results table shows all the data that matches the selected step for the specified time range. Scrolling and pagination controls are available.

You can now build out your playbook by adding additional steps. Based on how you are constructing your playbook, LogicHub may have some recommendations for what to do next. To view any LogicHub recommendations, click + on a step and select View Recommendations.

Additionally, the playbook allows you to copy and paste the time period from one flow to another in Advanced Mode. When you click on the copy icon in the time period field, a Copied to clipboard message appears and you can use the copied time period in another flow.

1600

Manage Playbook in Advanced Mode:

Playbook editor in Advanced Mode has multiple icons to gather and use multiple inputs and apply data reduction and advanced correlation techniques to generate a single score or ranking as the output for each event. The playbook results in a decision for each event about whether it is acceptable or suspicious.

Playbook (Advanced Mode) Icon Bar

1600

Select and/or choose respective icons in the top icon bar with multiple icons to manage the Playbook in advanced mode.

Playbook IconDescription along with Action
PresentPresentation mode allows you to display a selected subset of the steps in your playbook. See
How to Tag the Steps to Present for further understanding of the concept.
SourceSource icon allows you to add Event Types, and Baselines to the existing playbook.
Re-LayoutRe-Layout icon allows you to straighten up your playbook layout if you have lines that are crossing or steps that appear to be on top of each other.
GroupGroup icon will retain a clear sense by giving an option to combine multiple and/or clusters of playbook steps into a single group and can be represented as a single entity in the playbook. See Playbook Groups for further understanding of the concept.
ModuleA module is a pre-built automation function that you can add to your playbook. Modules can perform actions such as formatting output, parsing a string, checking IP addresses, or downloading emails.
StreamsStreams automate your playbook by executing it in batches at preset intervals. With streams, you can rank your alerts on a regular basis and drill down to understand why an individual alert was ranked in a particular way.
VersionPlaybook versioning helps you keep track of all the changes that you make to your playbooks and allows you to view and return to previous versions of the same playbook.
SearchSearch icon in the Advanced Mode allows you to search keywords for step type, tags, LQL, node name, display name, and description.
This feature is helpful to perform an easy search of a keyword if you have a huge number of nodes in the playbook.
AssistanceAI Threat Detection Assistant is an automated workflow to further enhance the ease and usability of Users to create and/or edit a playbook.
MoreMore icon provides further options
- Edit in Easy Mode: To switch the playbook editor to Easy mode.
- Simplified Graph: Showcases only the current selected and source node to maintain the ease while working on Playbook.
- Lock Graph: The user can Lock the node layout of the playbook which has been selected with Simplified Graph and also Unlock the layout to expand and see all the nodes in Playbook.
- Delete multiple Nodes: To select and delete multiple Nodes at one instance.
- Run all Stale Nodes: To run all the dependent nodes (Stale Nodes) at one instance.

How to Tag the Steps to Present

Presentation mode is useful if you have a large playbook or one that performs multiple functions and wants to focus on a particular area of interest. The playbook itself remains the same. A single click allows you to toggle between displaying the selected steps and displaying the entire playbook by adding tags.

If you have a large playbook, it may be useful to view only a portion of it rather than the complete playbook. This can be accomplished by adding custom tags that make it simple to recognize and group a set of nodes (steps).

  1. Open the playbook in Advanced Mode.
  2. Select the step that you want to include in the presentation.
  3. On the right pane, in the query area, enter the tag name and press return. You can add multiple tags to add in the presentation.
1600

In the following playbook, the three steps in the highlighted box are tagged for the presentation.

1600

Click on the Present icon to display the tagged nodes. To change back to the full playbook, click the Present icon again.

1600

How to Use Present Mode

After tagging the group of nodes, click on the Present icon on the top-right corner of the playbook designer. The Presentations pane opens up on the left side of the page that consists of the following items:

  • Tagged Nodes: This section will display each node that you have tagged in the playbook. Once you create the tags for each node, it cannot be deleted unless you go to the playbook and delete the tags to remove them. Each tag is called slides in the present mode. In the tagged nodes, click on the three dots to Add to New Presentation. A new presentation will be created below, with the three dots containing the following options.
OptionDescription
EditAllows you to edit the title of the presentation.
DuplicateAllows you to duplicate the presentation.
DeleteAllows you to delete the presentation.

The three dots for slides show the following options.

OptionDescription
EditAllows you to edit the slide description and the nodes to display.
Add to PresentationAllows you to add the tag to another new presentation.
Duplicate SlideAllows you to duplicate the slide.
New SlideAllows you to add a new slide.
DeleteAllows you to delete a slide. A confirmation message does not appear when you click delete, therefore, be sure before deleting the slide.
  • New Presentation: Click New Presentation to add a new presentation and slides.
  • Add Slide: Click Add Slide to add a new slide. You can select the tags that you want them to appear on the slide and click Save.

How to Make Default Slide

To set a slide as the default, hover your cursor next to the three dots to see the pin icon, and then click it to make the slide the default. If there is no default set, the slide that was most recently opened will be displayed.

1600

Settings Pane (Right hand side)

Click +Actions on the Settings Pane on the right side allows to

1600
  • Edit Node details: Display Name, Node Name and Description
  • Row Description: Name or provide a description for the Row.
  • Create Baseline: Allows you to compare current (most recent) behavior with past behavior to determine whether the current behavior is consistent.
  • Export Output Data as CSV: This allows you to download the results table in .csv format.
  • Three dot option (mid-line ellipsis) on the top right corner can be used to Close All tabs or Close Other Tabs.

Also, the Settings pane accommodates the options Available Operators and UDFs and Update Table

  • Available Operators and UDFs: Select the Available Operators and UDFs option to display the applicable Operator Catalog and UDFs for the respective Node highlighted in yellow color on left side pane.
  • Update Table: Select the Update Table option to reflect the latest table data.

Edit Playbook in Advanced Mode:

  1. Navigate to the My Library drop-down menu on the left navigation pane and select Playbooks.
  2. Use the filters and search option to find the playbook in the list that is to be edited.
  3. Click the midline ellipsis icon (...) to the right of the respective playbook listing and select Edit in advanced mode to open the advanced playbook designer.

© 2017-2021 LogicHub®. All Rights Reserved.