In this example, we will build a Playbook from scratch. This Playbook will focus on detecting Malware and making decisions based on what malware is found.

  1. Let’s start by setting up the new playbook. Click on the plus icon and choose the environment (or no environment) and click Create Playbook. In the top left, click the Edit icon and add a meaningful name. For example, Malware Detected Test.
  2. Create a Trigger which will cause the Playbook to run if an Alert for a virus or security risk pops up. Note: In this specific trigger type, the alert type options will appear in the drop-down as possible options only if the alerts were already ingested.
    Trigger > Alert Type
    Parameters: Virus Found or Security Risk found 
  3. Add an Enrichment action to find out all attributes of the Active Directory Users so we can see who is involved with the suspicious risk. 
    ActiveDirectory > Enrich Entities
    Entities: All Users  
  4. Add an action to get more information on the device.
    CBDefense > Get Device Info
    Entities: Internal Entities
  5. Add an action to scan all the files to see if any are known to be malicious.
    VirusTotal > Scan Files
    Entities: All File Hashes
    Threshold: 1 
  6. Add an action to get more information on the files using hash info.
    XForce > Get Hash Info
    Entities: All File Hashes
    Threshold: 1 
  7. Now is the time to branch off the playbook by creating one path if the XForce and Virus Total have found viruses and another if they haven’t.
    Flow > Previous Actions Conditions
    Parameters: XForce_Get Hash Info  =  true 
    VirusTotal_Scan Files =  true 
    Logical Operator: And
  8. Now we are going to add a manual Close Case action to the False branch. This means that no malicious viruses have been found and we want to close the case.
    Siemplify > Close Case
    Parameters: Reason > NotMalicious. Root Cause > Normal Behavior. Comments: free text.
    Make sure to toggle the top to M for Manual intervention by Analyst. 
  9. Add an Entity Insight to the True branch which will be displayed in the Insight panel of the Cases screen to show the Analyst that a virus has been found.
    Siemplify > Add Entity Insight
    Entities: Source Entities
    Parameters: Internal host “Entity_Identifier” identified with malware 
  10. In this step, we are going to select a Siemplify Assign Case action for the True branch. This means that the Playbook has identified viruses that need to be dealt with and the case will be assigned to a higher tier (usually Tier 2)
    Siemplify > Assign Case
    Entities: Internal Users
    Assigned User: Tier3
  11. We are going to add in some questions so that in run time, the higher level analyst will be asked to make a decision whether to initiate a response procedure.
    Flow > MultiChoiceQuestion
    Question: Should we initiate response procedures?
    1. Yes
    2. No
  12. In this step we will add an Assign Case so that if the Analyst has answered Yes to the question above, then the case is assigned to the SOC Manager. 
    Siemplify > Assign Case 
    Assigned User: SOC Manager 
  13. Finally, we will add an Isolate Host action for the SOC Manager to manually perform.
    CBResponse > Isolate Host 
    Toggle the top button to M for Manual. 
  14. Make sure to click the large blue Save button on the top right. Congratulations! You have built a Playbook. Once an alert of the type ‘Virus found…’ is ingested, the playbook will be automatically attached to it, and act accordingly to the set of actions and flows that was set in the playbook

Need more help with this?
Click here to open a Support ticket

Thanks for your feedback.