Playbooks

What is a Playbook?

A Playbook can best be described as a workflow of actions which are executed following a certain trigger. Playbooks are particularly useful because they can be predefined in advance to respond to various alerts coming from your SIEM and carry out automatic actions – thereby freeing up the analyst’s time and efforts.

A playbook is composed of two parts: trigger and actions as defined by the SOC Manager or higher-tier analysts for handling security alerts. Playbooks automatically gather information on alerts from internal and external sources, request essential information from users associated with the alerts and take appropriate actions to proceed with the alerts.

Siemplify includes over 80 predefined playbooks for the most common use cases. You can customize these playbooks or define additional playbooks for your specific requirements. Below is a screenshot of the Playbooks screen with a specific Playbook highlighted.

How do I build a Playbook?

There are three main building blocks for building a Playbook: Triggers, Actions, and Flows. You drag and drop each one of the blocks to flesh out a complete Playbook.  Refer to Understanding the Playbooks page for more information.

What is a Playbook Block?

A Playbook block is a mini playbook that is built slightly differently to a regular Playbook and which functions as a snippet that can be inserted into a regular Playbook. It can also be run as a stand alone. The advantage of using a Block is the ease of configuring one time and then reusing it in various Playbooks. For full details on Playbook Blocks, please refer to Playbook Blocks

How do I run a Playbook?

A case can contain several alerts and each alert can have several playbooks attached to it. If there is a playbook attached – it will run automatically until the end unless a manual action has been predefined, in which case it will pause and wait for the analyst to take that action.  Thus analysts save considerable time and efforts in reviewing the case, because much of the information needed to investigate the alerts has already been gathered by Siemplify, usually without manual intervention.

Additionally, you can manually add and run a Playbook on from the Case page to an individual alert in a case, if needed.

1. In the Cases screen, highlight the alert.
2. In the Playbooks section, to the right, click on the plus icon to add a new playbook.
3. In the Add a Playbook screen, select the required Playbook and click Add.
   
4. The Playbook is added and will run immediately.

How can I see Playbook Results?

The Playbook will display in the bottom part of the screen. To the right of the screen will appear a Playbook Summary section which details all the Playbook steps and results.

You can also view each Playbook action and its corresponding results in the Case Wall screen.

Where can I see metrics on Playbooks?

There are several places to see information on Playbooks:

Individual Playbook > Playbook Monitoring screen.

Dashboard > Playbook Dashboard