Playbook is a no code structure that works under bots, evaluates the events within the framework of certain rules, analyzes, reaches conclusions, and delegates work flow. Playbooks works based on certain events. The event must be created before creating a playbook.
- Click the bot that you want to create event in.
- Select or Create Event: Create the new event that is going to use in bot. (The "_incident "event comes by default. This event means that all events that reaches Logsign SOAR.) In this section, you can also view and select previously shared events.
- Name: Name of the event.
- Expose to users: It is the option that makes the related event executable in cases. (Run as Dispatch.)
- Values: In this area, the parameters these are going to use by event are defines.
- Description: Name of the parameter.
- Type: Type of the parameter. (E.G. Type table)
- Add field: Use for defining more than one parameter.
- Shared: It should be selected if event is wish to use by other playbooks. If it's unselected, other playbooks can not use the event, only selected playbook can use.
- After the event is created, the playbook that is going to work with this event needs to be created.
- Define the name of the playbook and the relay server (_center should be selected in single structure) and click "ADD" button to create the playbook.
- Playbook definition can be edited or deleted via the three dots on the right side of the playbook name.
- When the playbook is created, it comes as passive.
- Click on the playbook name to enter the playbook.
- You can edit the active / inactive status from the top right and save the playbook.
- With the tools on the left you can define your own scenario, and get it ready to action to use in events.
- Actions: Group of actions to use in the playbook.
- Firewall: Action to take on all firewalls those on the asset list.
- Check: It is a function that can compare the datas in the events that in the playbook.
- As a result of the check, "True" or "False" status seen on the screen and you can identify seperate ways. We can reach different results depending on the situations here.
- Dispatch: It is the function that we run by sending the values that we have captured in the playbook to the other events those we have created.
- Integrations: With the integrations function, you can use the capabilities of hundreds of security products with which Logsign SOAR can be integrated. You can perform analyses, actions, transactions and generate reports based on the results of these transactions. In order to use the integrations function, you must first define your assets.
You can visit our FAQ page to learn more detailed usage areas of playbooks and to review our use cases.
- It is the report screen that shows when the Playbook works and to which step it can progress during this operation.
We can test the playbook that we created with the simulation tool. You can find the details about the usage in our Playbook Simulation article.