This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
SecOps SOAR playbooks are the foundation of automation and orchestration of security process. Playbooks are used to define triggering conditions, such as events, or event combinations, and the automated actions to take in response to those triggers. SOAR playbooks do not eliminate the need for SecOps teams. Instead they augment the teams by providing rapid automated action, and offloading repetitive tasks. Overall this provides faster security response while freeing analysts to focus on more pressing or complex tasks.
Prerequisites
Entitlement for SecOps SOAR on the account and project
Administrative permissions to Chronicle SOAR
Administrative Access for any 3rd party applications that will be integrated with Chronicle SOAR via the Marketplace
Actions
Define Trigger
A trigger specifies the instance for which a playbook must be triggered in case of an alert detection.
See the Relevant Links section for more documentation regarding the prerequisites.
Correct permissions to configure a playbook
Steps
Create a new playbook.
Select triggers from the Step Selection menu.
Click Alert Type and drag it to the first step in the playbook.
Double-click on it to open a new Alert Type dialog.
Under Parameters, select either Equal, Contains, or Starts With from the menu.
Select the required parameter from the menu. In this case, we have chosen an alert type based on any alert that contains phishing email detector. Once you specify the trigger parameter and save it, the parameter name appears in the description of the trigger.
Click Save. The specified trigger parameter is saved and you return to the Playbooks page where you can define the next set of componenets (actions and flow) for the playbook.
Actions are the next set of components that you can define for a playbook. Each action is categorized under an Integration in the system. They include tasks or actions to be performed by the playbook.
The Playbook simulator provides you with a revolutionary way to develop Playbooks in less time and with less effort. Allowing you to work in a pre-production environment where you can test your actions and play with the results without affecting production.
See the Relevant Links section for more documentation regarding the prerequisites.
Access to Playbooks
Existing Cases for simulation
Steps
In the Chronicle UI, choose the Playbooks tab.
Click on a Playbook to open it in the editor.
Turn on the Simulator Switch in the top right.
You'll notice in the top center that there is a green notification that appears when the simulator is on.
Additionally, there is a content window at the bottom which allows you to run the simulation against an existing case.
Select an existing case and walk through your playbook to see how it would react to that case.
The simulator will allow you to take a case and see exactly what would have happened for the playbook in question when that case occurred. This allows you to account for additional scenarios in your playbooks for future cases by testing in a pre-production environment.