In this example, we will build a Playbook from scratch. This Playbook will focus on detecting Malware and making decisions based on what malware is found.
- Let’s start by setting up the new playbook. Click on the plus icon and choose the environment (or no environment) and click Create Playbook. In the top left, click the Edit icon and add a meaningful name. For example, Malware Detected Test.
- Create a Trigger which will cause the Playbook to run if an Alert for a virus or security risk pops up. Note: In this specific trigger type, the alert type options will appear in the drop-down as possible options only if the alerts were already ingested.
Trigger > Alert Type
Parameters: Virus Found or Security Risk found - Add an Enrichment action to find out all attributes of the Active Directory Users so we can see who is involved with the suspicious risk.
ActiveDirectory > Enrich Entities
Entities: All Users - Add an action to get more information on the device.
CBDefense > Get Device Info
Entities: Internal Entities - Add an action to scan all the files to see if any are known to be malicious.
VirusTotal > Scan Files
Entities: All File Hashes
Threshold: 1 - Add an action to get more information on the files using hash info.
XForce > Get Hash Info
Entities: All File Hashes
Threshold: 1 - Now is the time to branch off the playbook by creating one path if the XForce and Virus Total have found viruses and another if they haven’t.
Flow > Previous Actions Conditions
Parameters: XForce_Get Hash Info = true
VirusTotal_Scan Files = true
Logical Operator: And - Now we are going to add a manual Close Case action to the False branch. This means that no malicious viruses have been found and we want to close the case.
Siemplify > Close Case
Parameters: Reason > NotMalicious. Root Cause > Normal Behavior. Comments: free text.
Make sure to toggle the top to M for Manual intervention by Analyst. - Add an Entity Insight to the True branch which will be displayed in the Insight panel of the Cases screen to show the Analyst that a virus has been found.
Siemplify > Add Entity Insight
Entities: Source Entities
Parameters: Internal host “Entity_Identifier” identified with malware - In this step, we are going to select a Siemplify Assign Case action for the True branch. This means that the Playbook has identified viruses that need to be dealt with and the case will be assigned to a higher tier (usually Tier 2)
Siemplify > Assign Case
Entities: Internal Users
Assigned User: Tier3 - We are going to add in some questions so that in run time, the higher level analyst will be asked to make a decision whether to initiate a response procedure.
Flow > MultiChoiceQuestion
Question: Should we initiate response procedures?
1. Yes
2. No - In this step we will add an Assign Case so that if the Analyst has answered Yes to the question above, then the case is assigned to the SOC Manager.
Siemplify > Assign Case
Assigned User: SOC Manager - Finally, we will add an Isolate Host action for the SOC Manager to manually perform.
CBResponse > Isolate Host
Toggle the top button to M for Manual. - Make sure to click the large blue Save button on the top right. Congratulations! You have built a Playbook. Once an alert of the type ‘Virus found…’ is ingested, the playbook will be automatically attached to it, and act accordingly to the set of actions and flows that was set in the playbook
Need more help with this?
Click here to open a Support ticket