Quick Summary

Playbooks are step by step workflows that can run automatically or guide Siemplify users through a process. Playbooks are used for SOC, NOC and Incident Response use cases (e.g. gather enrichment, complete tasks etc.) and can be triggered manually or automatically.


Playbooks allow Siemplify users to create workflows based on SOC, NOC and Incident Response use cases to standardize and automate security tasks.
Playbooks are triggered by different types of alerts – these Triggers are logical conditions that tell the playbook when to run.
The workflow is created with Actions that are able to perform tasks in Siemplify and integrated 3rd party products.
In addition, Siemplify provides multiple Flow components to help with making decisions during the workflow (with or without human intervention).
Siemplify also provides Playbook Blocks which are reusable playbooks that can be embedded in other playbooks. Playbooks Blocks can change their behavior based on execution context.

Example – Email Playbook

Let’s create a playbook for the Email case.

  1. Navigate to the Playbooks tab and click + to choose a Playbook.
  2. Select the required folder and default environment and click on Create.
  3. Drag a Trigger into the trigger box. For this example we will use the ‘Product Name’ trigger.
  4. Click on the trigger you added to configure it.
  5. Change the operator in the dropdown to “Contains” and put Mail as the parameter
    (that means the playbook will run on every alert that contains the word Mail in its DeviceProduct field).
  6. Switch to the Actions tab and drag the Get Similar Cases action under the Siemplify integration.
  7. Click the action to configure the parameters. Make sure to select Shared Instances in the Configure Instance field. These will be considered when the playbook looks for similar cases during run time.
  8. Switch to the Flow tab and drag a Previous Action Condition to the last step.
  9. Set the condition to go to branch 1 by selecting ‘Siemplify_Get Similar Cases_1.SimilarCasesIds’ on the left side and select the ‘Not Empty’ operator. Click Save.
  10. Switch to the Actions tab, select and drag the Siemplify > Assign Case to branch number 1 and select yourself.
  11. Drag the Siemplify > Close Alert action to the Else branch.
  12. Enable the playbook, name it and save it.
  13. Simulate a case from the simulation dialog in the cases module to see this playbook running on a alert.

Need more help with this?
Click here to open a Support ticket

Was this helpful?

Yes No
You indicated this topic was not helpful to you ...
Could you please leave a comment telling us why? Thank you!
Thanks for your feedback.