SOAR playbook toolkit
The playbook toolkit consists of the customizations, objects, and other tools to help you build playbooks that meet your SOAR requirements.
Before you build a playbook, get familiar with the toolkit. The following sections describe each major tool.
Graphically designing playbooks with Playbook designer
Use the Playbook designer feature to manage and graphically design playbooks.
- Library to access customizations, such as tasks, functions, and scripts, and decision points. The library does not provide access to rules and workflows since those capabilities are embedded.
- Canvas and graphic tools with a flowchart capability for designing playbooks.
- Panels for each node and decision point that provide information and ability to customize the nodes.
The Playbook manager displays all the playbooks and their status. The Playbooks page is the initial page that is shown when you click Playbooks in the menu bar. You can create or edit playbooks.
For each incident, there is a Playbook progress link to show the status of the playbook instance for this incident.
See the following topics for detailed descriptions of the Playbook designer features.
To create and manage playbooks, see Build and manage playbooks.
Playbook designer library
The Playbook designer library provides access to customizations and conditional logic that you use to build your playbook.
You access each area of the library through the toolbar.
- Tasks. Organized by phases. These tasks are also listed in Phases & Tasks under Customization Settings.
- Functions. Organized by app names, with an Other category for those functions that are not associated with an app. These functions are also listed in Functions under Customization Settings.
- Scripts. Organized by object type with a Local category for those scripts available only to the playbook. Except for the local scripts, these scripts are also listed in Scripts under Customization Settings.
- Sub-playbooks. Playbooks that are contained within a playbook. The purpose of a sub-playbook is to create reusable processes based on collections of tasks, scripts, and functions. These sub-playbooks can then be used in multiple playbooks to standardize activities and accelerate playbook design. The sub-playbooks are organized by object type.
- Decision points. Business logic. The following lists the specific
decision points:
- Wait point. Requires all incoming paths to complete before the playbook can proceed to the next node.
- Condition point. Use Boolean operators to evaluate incoming data. The result of the evaluation determines which outgoing path to activate. Use Condition points to make logical decisions that are based on the values of incoming data.
- End point. Signifies the completion of the playbook or a specific path. You can have multiple end points in a playbook that determine the completion of individual paths. All paths must ultimately lead to an End point.
The following graphic shows the Tasks feature open in the library. All tasks are organized by phases.
The library also has a search capability. When you search for functions, the search returns any matches in the name or description, and the function's app name or description. When you search for tasks, the search returns any matches in the task name or instructions. When you search for scripts, the search returns any matches in the script name or description.
Playbook designer canvas
The canvas section of the Playbook designer is the graphic interface where you design your playbook.
When you drag a customization onto the canvas, the customization becomes a node. Each node is numbered sequentially as you add them to the canvas. If you add the same customization multiple times, each instance is an individual node and has its own number. The numbering scheme is used for identification only. Decision points are not nodes and are not numbered.
When you hover over a node or decision point on the canvas, its connectors display as blue dots. Click a dot and drag it to connect it to another node or point.
The canvas includes design tools zoom in, zoom out, zoom to fit, undo, redo, and lasso to group items. It also includes the playbook status, icon to save the playbook, icon to view errors, icon to view details and a menu icon.
The View errors icon is red whenever the playbook contains errors. The node with the error also has the red icon. Clicking the icon displays information about the errors. The example shows three distinct errors.
The View details icon displays information about the playbook. For more information, see Playbook detail pane.
The menu icon presents the Delete playbook option.
Playbook detail pane
The detail pane provides information about the playbook or a selected item.
- Playbook details. Click the View Details icon in
the menu bar to display the following information about the playbook.
- Name of the playbook (editable).
- Description of the playbook (editable).
- Status of the playbook.
- Activation type, which determines how the playbook is activated.
- Object type is the class of data that the playbook acts on.
- Additional information includes who created and updated the playbook and when.
The Revision # field can help you track changes to the playbook. By comparing the revision that is used by a running playbook to the latest version of the playbook, you might be able to troubleshoot issues more quickly. Some changes to a playbook might result in multiple increments to the playbook revision number.
The API name is the same as the initial playbook name without spaces and is used to provide programmatic access the playbook.
- Activation details. Click the activation node on the canvas, which is the
start of the playbook, to display the following information:
- Object type is the class of data that the playbook acts on.
- Activation type. Use Automatic to have a condition you specify activate the playbook. Use Manual to have a user activate the playbook from the object’s Action menu. The object can be any object except email message.
- One or more conditions that define how the playbook is activated.
- Node details. Displays information specific to the selected node, which includes the node number. You can edit the information and create a duplicate of the node. The details pane for functions also displays the input fields, input script if used, and output name.
- Decision point details. Displays information specific to the selected decision point, which includes the incoming and outgoing paths.
The following graphic is an example of a Playbook details panel.
Global and local scripts
You can choose to use global scripts or write a local script specific to the playbook.
A global script is available to every playbook and also included in the Scripts tab in Customization Settings. The playbook library organizes all global scripts by object type.
A local script is available to this playbook only. The playbook library organizes all local scripts in one category called Local.
Global scripts allow for code reuse between playbooks.
A local script is typically used when the code logic makes sense for the current playbook and not other playbooks. For example, a local script is useful in processing the results from a function to convert it for use in a function downstream or save the processed results into incident data.
Scripts use the playbook keyword to access function results and other data available in the current instance of the playbook. For more information, see Playbook operations for scripts.
Input values for functions and sub-playbooks
Similar to a function in a workflow, you can provide the input values to a function or sub-playbook manually or programmatically.
When you select a function or sub-playbook in the library, the details panel lists the names of the inputs. The following example shows two input fields for a function.
If you select a function or sub-playbook on the canvas, the panel also shows the inputs. If the inputs are set to Fields, you see the value for each input field, where each input is a constant value.
If the inputs are set to Script, you see the code of the input script. An input script dynamically retrieves a value for each input field. The input script can access the result of a function, sub-playbook, or a property value entered by a script. An input script can read incident values only. It cannot run activities such as changing incident values and adding artifacts. For more information, see Input scripts.
Function or sub-playbook output
The output of a function or sub-playbook can be accessed by scripts that are started later in the playbook.
The output is the result of an operation, typically provided by a remote app. The output is available only while the instance of the playbook is running.
playbook.functions.results.<output_name>For more information, see Playbook operations for scripts.
Defining incident types
You can use the Incident Types feature to classify the various types of incidents your team addresses.
Review your organization’s policies for responding to events then determine the basic categories of events. As a simple example, you might have three categories: Malware, Intrusion, and Loss of Personal Information. You can create an incident type for each category. Furthermore, you can create subcategories by creating a parent incident type with child incident types. For example, you might have three subcategories of Loss of Personal Information: Executive, HR, and Other.
Define incident types that are relevant and meaningful to the full lifecycle of the incident handling and response actions, specifically, pre, intra, and post incident.
Defining incident phases
Your response policies can go through stages, where the initial tasks might be to gather supporting information during assessment to verify the event. After you gather information, your policies might require more action-oriented tasks.
Use Phases to define each stage of an incident response, essentially capturing the general intent of the response action. Phases logically and visually organize tasks within a playbook, which also helps leadership and management to be able to identify the current work state of the incident.
Like incident types, the phases you need for your environment are largely dependent on your organization’s response approach and tracking methods.
Tasks and instructions
You can define all the tasks that might need to be performed by users, such as an analyst or incident responder.
Tasks can be in the form of a set of instructions or advisories. It can also take the form of an action that a responder selects, which you configure by using the Rule feature. When the responder finishes the task, it can be marked and recorded as completed. As you define the tasks, keep in mind your organization’s policies as to responding to a particular situation. Make sure to have these tasks specific and repeatable to the incident or situation at hand.
Tasks also play a vital role as a system of record and as a method of training. Analysts new to your organization can quickly learn specific processes by following the playbooks.
You create and manage the pool of tasks in the Phases & Tasks tab under Customization Settings, where you also assign the task to a phase.
You can dynamically add these tasks to a specific incident through playbooks, workflows and the configurations of rules, their conditions and activities. The conditions for adding tasks can be based on the field values of the following objects: incident, tasks, notes, milestones, artifacts, attachments, and data tables.
Layouts, fields, and data tables
The Incident Layouts feature helps you to visually present the incident. You can drag the different elements into a layout, and set conditions to filter out unnecessary information.
Within each layout, you can organize information by fields and data tables.
You can use fields as data capture points for analysis review and to produce metrics. Features, such as rules, reports, and analytic dashboards, can access the values in fields. Make sure to have the fields be distinct, specific, and purposeful.
You can use data tables to capture and organize field values in a spreadsheet table format. Features, such as rules and reports, can access the values in data tables. Data tables can also be used in apps, where the information that is escalated from another security program populates the data table with values. Depending on the app, a user might be able to access limited capabilities of that security program directly from the data table.
You create and manage fields and data tables from the Layouts tab where you can add them to the various incident tabs.
You can also create fields and data tables for other features, such as tasks and functions. Creating fields within tasks allows users to spend more time to perform actions and capture information directly in the tasks and less time to switch between the incident tabs. When possible, add relevant fields to each task for more efficient data capture AND the layout of the appropriate incident tabs to allow ease of review and reporting.
Using scripts for complex logic
Use the Scripts feature to implement more complex business logic.
For users familiar with writing Python scripts, you can write scripts to access incident data (same data as accessed by rules) then run activities more complex than can be handled by rules. Scripts can be triggered by playbooks, rules, or workflows.
Functions use scripts to provide input values. In Playbook designer, it is called a function input script. In workflows, it is a pre-process script.
Playbooks have local scripts, which apply only to the playbook where it was created. These scripts have extra operations to access the output of functions in the playbook.
Workflows allow simpler scripts to be used as conditions for inclusive and exclusive gateways.
Functions and scripts in playbooks
Functions that are provided by apps can be used to integrate with other security systems.
A function is an object that sends data to a remote app through a message destination. The app runs an activity then returns the results. Functions can be triggered by playbooks and workflows.
- Perform lookups.
- Send attachments for analysis and add the resulting report to the incident.
- Start an external action then return the results for use in decision-making processes.
A function has one or more inputs and provides a result in JSON. You can provide static values for inputs manually or variable inputs programmatically by a script. When triggered, the function sends the input values to the remote app by way of a post to a message destination and waits for a result. You use the result as a decision point in the playbook or workflow.
When you use a script to set the input value of one or more of the function’s input fields, you can use the script to retrieve the current value of a property then provide that value to the function. However, the script cannot run such activities as changing incident values or adding artifacts.
You can have script take as input the function’s result. The script can change incident values, add artifacts, add rows to a data table, and more. You can also save the function’s result for use by functions later in the playbook workflow path.
You can create and manage functions in the Functions tab. Typically, app developers create functions to use with an app that can then be installed in multiple SOAR Platform instances.
Workflows in complex decision-making processes
A workflow is a graphically designed set of activities that you use to create a complex set of operations.
Workflows are triggered by rules and provide more complex decision-making processes. You design each workflow to represent a specific business process. As a simple example, you can use a workflow to determine the geographic location of an event then implement a specific set of activities based on that location.
When you design rules and workflows, generally use workflows to define any conditional logic, sequencing, and orchestration of human tasks and automated activities. Use rules for implementing general, higher-level business logic, such as “include the privacy team on the incident when a data breach occurs.”
For complex processes, you can simplify your design by creating smaller, repeatable workflows that can be called by other workflows.
- Gateways, which are used to make logical decisions.
- Other workflows
- Scripts
- Timers
- User tasks
- Functions
- Message destinations
You create workflows in the Workflows tab, which has a graphics editor, making it easy to design workflows.
You cannot use workflows in a playbook that was created by the Playbook designer tool.
Using rules to define a set of activities
Rules define a set of activities that are triggered when conditions are met.
An activity is an operation that the rule runs when the appropriate conditions are satisfied. The activity can be as simple as adding a task to the incident or setting incident values, or more sophisticated such as starting scripts, workflows, and sending data to external programs.
Each condition is statement that includes a field, an equation, and a value. The condition is met when the statement evaluates to true. Conditions can be combined by using Boolean “AND/OR” logic.
- Automatic. An automatic rule runs without user involvement when its conditions are satisfied.
- Menu Item. A menu item rule displays in the SOAR Platform as an action in the designated object’s Actions drop-down menu and runs only when a user starts it.
- Ordered. Ordered activities include setting incident field values, adding tasks into the task list, running internal scripts to implement business logic, and placing items on message destinations to be acted upon by apps. You use Ordered Activities to identify the tasks to be done, when the tasks are fairly straightforward.
- Workflow. Workflow activities start business process workflows, graphically designed, that you can use to implement more sophisticated playbooks.
- Message Destination. Use message destinations to post transaction data for use by external scripts and programs.
You can add conditions, order those conditions, add activities, provide the rule’s results to an external program, and more.
When you use rules, the term “playbook” is not shown in the user interface.
Validating playbooks with simulations
Simulations are hypothetical circumstances that can help your team to understand the impact of data loss situations and rehearse the response process.
Simulations allow users to create incidents for testing to see how each component of your playbook responds. You can use it to verify that your playbook responds as you expect, and to fine-tune it for more efficient responses.
Simulated risk assessments allow users to test the implications of a data breach situation without keeping it in your organization’s record. The wizard collects basic information about a hypothetical data breach event. It ends with an assessment that includes a summary of the recommended steps to be taken and the estimated fine liability.
To run a simulation, click Create incident menu and select Create simulation then complete the incident entry wizard. You can use the same actions on simulations as you can on incidents, as described in the Introduction to incident response. Simulated scenarios are distinguished within the system by a SIM icon. The process of working with simulated items is identical to working with real incidents.
To close an active simulated incident, click Close Incident within the appropriate incident.
Workspaces and playbooks
Workspaces are contained areas that can be used to organize incidents for ease of management.
If your organization is using workspaces, consider which workspace is appropriate for incidents when you add conditions to rules or layouts. For example, you can send incidents to specific workspaces or identify which workspace contains a specific incident.
For more information about workspaces, see SOAR platform workspaces.
SOAR apps and playbooks
An app is a collection of playbook components, code, or both that represent an end-to-end function and is deployed to the SOAR Platform.
Playbook components can include functions, rules, workflows, Python scripts, custom fields, data tables, and message destinations. Code can access and return external data, interact or integrate with other security systems, or be a utility that runs a specific action.
An app is available in two formats. One format requires the App Host Kubernetes-based container environments. The other format, called an extension, requires an integration server.
- Function (most common type). A SOAR object that sends data to a remote function processor through a message destination after it is started by a workflow. The function processor runs an activity and returns the results to the workflow.
- Custom Action. Similar to a function but does not require the SOAR function component. A custom action can populate a custom field or data table within the SOAR Platform, where a function returns the results to the workflow that started the function.
- Threat Services. Provides artifact scanning. The SOAR Platform includes “built-in” threat services that you can enable or disable from the Threat Sources tab, as described in the System Administrator Guide. You can also provide your own custom threat services to provide artifact scanning from your threat sources.
- Plug-ins. Use it to integrate the SOAR Platform with a security app, which uses the SOAR API and your system’s RESTful API for bidirectional communication. IBM Security provides apps that you can use to integrate with security apps such as QRadar, Splunk, and BigFix. And you can develop your own.
You can download existing app packages from the IBM® X-Force® Community App Exchange. You must have an account to download packages.
You can download apps that support the container environment directly to the SOAR Platform, as described in the Apps section of the System Administrator Guide.
You download function and custom action Python apps in the extension format to an integration server. See the Integration Server Guide for details.
App developers can also create their own apps. For function-based apps in either format, see the App Developer's Guide.
For other types of apps, see the SOAR Developer web site. The Reference page on the website provides pointers to various developer documents, such as the Custom Action Developer's Guide.
Conditions in playbooks
A condition triggers a playbook or rule.
A condition is a statement that includes a field, an equation, and a value. When the condition statement evaluates to true, it triggers its playbook or rule.
Both playbooks and rules require at least one condition to be triggered. Rules have a default condition. Playbooks do not.
The condition is based on the object type, which determines the fields that are available to be used as conditions. With some object types, you can select fields from their parent object; for example, you can select incident fields for a Task or Note object type.
| Operator | Description |
|---|---|
| is created | Condition is True when the object is created. If you use rules, do not use this operator to add tasks in the Activities section. |
| is added [a] | Condition is True when the value [a] is added. |
| is equal to [a, b, c] | Condition is True when the values [a, b, c] are the only ones present. It must be an exact match. |
| is not equal to | Condition is True when the object value is not the same as the one listed in the condition. |
| contains [a, b, c] | Condition is True when at least the values [a, b, c] are present. There can be more, but no less. |
| has one of [a, b, c] | Condition is True when at least one of the values [a, b, c] is present. |
| has a value | Condition is True when the object has a value. |
| does not have a value | Condition is True when the object does not have a value. |
| has one of | Condition is True when the object has a specific value. |
| does not have one of | Condition is True when the object has a value other than the listed values. |
| is changed | Condition is True when the object's value changes. This operator is available only to Automatic Rules. |
| is changed to [a, b, c] | Condition is True when the object's value is changed to [a, b, c]. This operator is not available to Menu Item Rules. |
| is not changed to [a, b, c] | Condition is True when the object's value is changed to value other than the selected values. This operator is not available to Menu Item Rules. |
| is included within [a, b, c] | Condition is True when at least one of the Incident Type field values [a, b, c] or any of their child incident types is a value. This operator is available only to the Incident Type field. |
- Select All to trigger the playbook or rule only when all individual conditions evaluate to true (they are AND’ed together).
- Select Any to trigger the playbook or rule when any one of the conditions is true (results are OR’ed).
- Select Advanced to define your own logical statement using the AND, OR, and NOT operators. You can also use their respective symbols, &&, || and !. For example, 1 OR (2 AND 3) means that when condition 1 is set to True, it triggers the playbook or rule. Conditions 2 and 3 both set to True triggers the playbook or rule. To avoid unexpected results, make sure to use parentheses for complex expressions.