User Guide

Actions

Actions are the next set of components that you can define for a playbook.  Each action is categorized under an Integration in the system. They include tasks or actions to be performed by the playbook. 
For instance, you can assign an analyst to a case, or in case of an external product integration (like McAfeeEPO product), you can set an action to update McAfee Agent. For each Integration, there is a list of sub-actions.

In order to use the required Actions, you need to make sure you have the Integrations downloaded and configured from the Marketplace. Refer to Marketplace for more information.

When the playbook runs, each action will return information that can include the following: 

  • Output message, tables, attachments, links, JSON (these will be displayed on the screen)
  • Script result (only valid within the Playbook itself)
    You can see this information either in the Case Wall or in the right side panel of the Case screen.

Glossary of Terms used within Actions

  • Parameters: Input of some type including text and/or placeholder (Siemplify variable), drop-down options, etc
    • Placeholders: Siemplify variable which will be populated at running time. See below for further information on Parameters and Placeholders.
  • Enrichment:  Gathers more information and attributes on an entity. See below for further information on using Enrichment.
  • Insight: An insight highlights a specific result/conclusion in the Playbook to bring it to the analyst’s attention. See below for further information on using Insights.
  • Script Result: Siemplify defined return value of an Action.
  • JSON Result: Raw data that the Action returns.
  • Expression Builder: Enables manipulating JSON results and extracting specific data to use in Playbook actions. See Using Expression Builder for more information.

Adding an Action

To add an action to the playbook:

  1. in the Actions tab, click on the down arrow next to an Integration name and select the action item. In this example, select Email > Send Email.
  2. Drag and drop the Send Email item to the Final Step or to the blue dots between existing actions.
  3. Click to open the dialog box. The dialog box shows the name and description of the Action as well as the Action result as shown by the Output Name. For this procedure, we will pretend we are in the middle of a DLP Use Case Playbook and fill out the fields accordingly. 
  4. Choose the Instance to use for this Playbook. For more information on Instances, refer to Marketplace.
  5. Specify which entities the Action will run on.
  6. Specify the email recipient for this action. For this example, we will add an Entity Identifier placeholder. 
    To add a placeholder:
    1. In the Recipients field, click the placeholder icon 
    2. In the Placeholder Selection, select Object > Entity. Property > Identifier.
    3. Click OK.
  7. Click Save. The Action is saved as the Action name underscore Sub Action name.

Enrichment 

As defined above, enrichment is additional data collected on an entity (hosts, IPs, artifacts, etc.)

By clicking on an entity on the Cases tab, you can see all the existing attributes that belong to an entity. These attributes, also known as “enrichment” parameters can also be used in placeholders. If you find you are missing attributes on an entity, you can use an Action to execute enrichment on an entity. Below we will use a simple procedure to get more information on a User in Siemplify. 

  1. Navigate to the Cases screen and highlight a specific case.
  2. Click Manual Action on the bottom right.
  3. In the Manual Actions screen, select Active Directory > Enrich Entities. And then select a specific entity. In this example, we will select the User Tom. Click Execute. Once the green arrow appears, close this box.
  4. In the Context Details pane, click on the entity Tom. A new Entity screen appears. Scrolling down displays the department that Tom belongs to.
  5. Return to the main Case screen. All the enrichment attributes are now in the Siemplify platform and are treated as entities in and of themselves. For example, department now can be chosen as an entity. This will be shown in the Create a new Entity procedure below.

Insights

During a Playbook you can choose to highlight specific Insights that are the result, or conclusions,  of an action. You can choose to run an Insight on an entity (this will run on all selected entities as part of the Playgroup) or run a general Insight (which will run once during the Playbook). In the procedure below, we will choose an Action that you might find in the middle of a DLP Detection Use Case Playbook. In this procedure we will highlight the Remediation Email.

  1. In the Actions column, select Siemplify > Add General Insight, and drag and drop it into the Final Step box.
  2. Click on the Siemplify_Add General Insight box. Fill out Title, Message and Triggered by. Notice that we used a Placeholder for the Entity_Identifier in the Message field. Click Save.
  3. When this Playbook is run, you will see this Insight highlighted in the Insight field as follows.

Entity

The analyst will choose the required entity when building the Playbook. There are different sets of entities that the Action will run on. You can also choose to add new entity sets. 

To create a new entity for a single Playbook:

  1. In the Actions column, select Flow > Entity Selection, and drag and drop it into the Final Box.
  2. Click on Entity Selection.
  3. Select the required entity parameters.  In this example, we will select the Department entity (that is now populated in the system due to the Enrichment Action we ran above). And have it equals to R&D. Click Save.
  4. The new entity set is saved under the name Entity_Selection_1. and is available for use when choosing any new entity in the specific Playbook. Note that if you create several new Entity Selections – they will be named according to ascending numbers after the underscore.

Removing an Action

During the building of the Playbook, you can remove an Action from the Final Step without any warning. If you remove an action which is connected to another action, you will receive a confirmation message as this could significantly impact the running of the Playbook.

Re-running an Action

The Playbook builder might have designated a Playbook to stop if an Action fails. If this happens, click on the failed Action and an error message will display in the right pane. This gives you the chance to correct a parameter that you might have mistakenly inputted and then you can Re-Run the action.

Need more help with this?
Click here to open a Support ticket

Thanks for your feedback.