👩💼 Who Can Use This Feature
All Members (by default).
However, administrators can set up permission to control the access. Users with List permission can only view playbooks. Users with Create permission can create or edit playbooks. Users with Manage permission can create, edit, and share only the playbooks that are created by them.
Playbooks are automated multi-step processes. They can ingest events or other data, process it, and take actions conditionally. This guide is intended to educate you about the different terms, functionalities, and features in the playbook builder.
To create a playbook, click New Playbook on the left navigation pane and click New Blank Playbook on the pop-up window.
We recommend you get familiarized with the following key concepts of the playbook.
Steps are the building blocks of Playbooks. Steps are combined into a flow diagram that makes up the playbook. The steps are executed one after the other from top to bottom.
Input and Output Data
Each step requires input data and generates output data. A step's output data will serve as input data in other steps.
Specify how much data would you like to look at while building the playbook using date picker on the top right-hand corner in the playbook builder.
Trigger or Stream
Schedule the playbook to trigger periodically, or trigger the playbook on demand using a webhook link.
Now that we’ve got the high-level overview, let’s look into the details.
Steps are the building blocks of Playbooks. They can perform a variety of functions, including interaction with third-party tools through integrations. For example, receive alerts from third-party tools, sending and receiving emails, and so on. For functioning, it requires input data or events according to the type of step. After running, steps generate output data or events that can be used in subsequent steps.
Steps are combined into the sequential workflow that makes the playbook. The steps are executed one after the other from top to bottom. And the data flows from one step to its child steps after it is executed. The visual representation of steps, the playbook diagram, is found on the left-hand side. And its configurations are done on the right-hand side by clicking on each step.
To add a step in a blank playbook:
- Choose one of the options under the Set Trigger step.
- To add a step in a playbook where steps already exist, click on the + button that appears under a step.
The catalog of all available steps will appear on the right side to add and configure steps.
- Click on the step you want to configure. For example, search for the
filteroperation and select it from the results.
- On clicking the chosen Step from the results, 'filter' if you follow the above example, the configuration form opens up.
- Enter the column value you need to filter out. In this example, we want to filter out all rows in which the value of column
Each step requires input data and it also generates output data. The input can be pieces of data external to the playbook or can be from other steps in the same playbook. This input is manipulated or enriched depending on the type of the step and output is generated. If you look at the example of the filter mentioned in the section above, we chose to filter out, all rows in which the value of column
date_minute was 3, from the input data that will generate an output of only rows in which the value of column
date_minute is 3.
To view input and output data of each step, click on a step and switch between the Input data and Output data by clicking on the tabs.
Usually, playbooks run based on something that has happened; whether it be logs of events from an enterprise tool or a SIEM. You can also run it on alerts that are already generated by another security tool. Therefore, the first step of the playbook is to retrieve these events from those tools using Event type and Integrations. These events that are retrieved will act as 'input' to the first step and its output can be used by the subsequent steps in the playbook for further processing.
If you choose to retrieve events in your playbooks through an event type, you need to specify how much data would you like to look at while building the playbook. This is done with the date picker on the top right-hand corner in the playbook builder. This choice only affects what data you can see while building the playbook. The larger the time period you pick the less fast the builder would be.
We recommend you pick a balance between speed and being inclusive to account for all different types of events that could happen. While actually streaming the number of events ingested will depend on the batch length.
When you are building the playbook, by using the principles mentioned above, you are in substance building the blueprint of the automation. After it is built, you have to stream the playbook to automate the process you defined in the playbook. You can schedule the playbook to trigger periodically, or trigger the playbook on demand using a webhook link. Choose to trigger it periodically if you want to monitor events happening in your IT environment 24x7.
When it is triggered each time, the playbook will ingest all the events that fall in the latest time period equal to the user-set batch length. Each such run is called a batch. The batch results are stored in My Library > Streams. In each batch run, steps are executed one after the other starting from the step(s) directly under the Trigger step. If there are multiple child steps under a step, they are executed in parallel.
The results of each batch run are inherently the output data of steps you mark as "Output Steps". As a best practice, we recommend you choose a step where the results of all the other steps come together. You can also choose multiple steps as Output Steps
A step won't be executed if one of its subsequent steps is not an Output Step.
To feed a given step into the output step, click the Output Data to Stream toggle to link it to the output step.
To stream a playbook, for example, in an interval of 15 minutes:
- Click on the Stream button on the top right-hand corner or by clicking on the Set Trigger button on the first node.
- In the Set Trigger form, enter a stream name.
- Enter a batch length to be 15 minutes. Now, the stream will run every 15 minutes, with the events that happened in the last 15 minutes. To know more, refer to Streams.
If you are still used to our older version of playbook builder and would like to learn more about it, refer to
Playbook builder V1.
📍 Guide to Playbook Builder
Updated 6 months ago