Playbook design basic concepts
The IBM Security® QRadar® SOAR Platform provides the logic to create playbooks that meet your Security Orchestration, Automation, and Response (SOAR) needs.
A playbook is the set of tools, conditions, business logic, flows, and tasks that are used to respond to security events and threats in a SOAR environment.
- Orchestration. An environment where security tools and solutions can work together to detect, respond, and provide remediation of security events and threats.
- Automation. Detection and response to events and threats without human intervention. It includes updating the response as the event progresses and changes.
- Response. Embedded methodical processes to respond and provide remediation of events and threats.
Orchestration and playbooks in SOAR
The SOAR Platform takes in data to create incidents and interacts with the SOAR environment to address and resolve security events.
The SOAR Platform accepts data that is entered manually or programmatically. You then use the various playbook tools to evaluate and process the data, determine results, and perform remediation. It can include interaction with other security programs and assigning users manual tasks. The playbook tools include playbooks, conditions, scripts, functions, rules, workflows, and tasks. In addition, you can use fields, data tables and artifacts to contain data, and phases and reports to track progress.
The following example shows the SOAR Platform in a SOAR environment.
The Authentication block shows the Identity Provider mechanisms.
The Email Infrastructure block shows the mechanisms to create incidents by email. In addition to IMAP, Exchange and OAuth are also supported. The SMTP Outbound notification is the mechanism to email users when specific events occur.
The Threat Services block shows the mechanism to check data, such as a file name, MAC address, and suspicious URL, with various cyberthreat sources.
The Orchestration block shows an example of interaction with other programs. The App Host is a separately installable software package that allows the SOAR Platform to communicate with apps, which are typically used to communicate with other security systems. The apps allow other security programs to generate incidents from email, SIEMs, ticketing systems or other sources, and include artifacts such as IP addresses, file hashes, URLs, username, and system names. It also allows apps to access incident data, process that data then returns the result. Depending on the level of integration, users can run commands on the data within the SOAR Platform, which is then accessed by the security system.
The SOAR Platform contains various playbooks that you design. Three different playbooks are shown as examples. The playbook runs when the conditions that you define are met. A condition is a change to an instance of the object type selected in the playbook.
- Run a script.
- Start a function (or a workflow when you use rules). A function can also be used to send data to an outside app.
- Add a task.
- Add or update data in a field.
- Add a row to a data table.
- Provide data to the next step in the playbook to determine progress.
SOAR playbooks, rules, and workflows
You use a playbook to define the response to incoming and changing events.
A customization is a tool within the playbook toolkit that can act upon, supplement or contain data. Customizations include functions, message destinations, tasks, notes, artifacts, and scripts.
- Playbook designer. A graphic-based tool that you use to define the conditions to trigger the playbook, and organize various customizations into a comprehensive set of actions.
- Rules and workflows, formerly referred to as dynamic playbooks. Use rules to define the conditions to trigger the playbook and the subsequent activities. Workflows are a graphically designed set of activities you use to create a complex set of actions that use various customizations.
The Playbook designer is the next step in the evolution of playbook design. You can graphically design your conditions and subsequent activities. It uses all of the customizations in the playbook toolkit except rules and workflows, since it incorporates the capabilities of each.
Rules and workflows provide more flexibility in addressing use cases. You can use rules to define more advanced conditions. Workflows are triggered by rules. You use workflows to graphically design your activities by using customizations in the toolkit. Unlike the Playbook designer, playbooks that are built with rules and workflows are not shown graphically in the user interface.
Ideally, design your playbook with the Playbook designer when possible, and use rules and workflows to address use cases not supported by the Playbook designer.
You build multiple playbooks for different scenarios. One playbook can trigger another playbook if the result of the first playbook matches the condition set by the second playbook.
Incidents and objects in playbooks
An incident is an event in which data or a system might be compromised. An object represents a type of data.
Users or apps can create incidents in the SOAR Platform. You can monitor the status from the start to the resolution of the incident.
- Task. A unit of work to be accomplished by a user, device, or process. The SOAR Platform handles some tasks automatically. Other tasks can be assigned to users, which they accomplish manually and mark them as complete when done. Incident owners can track the progress of the various tasks.
- Note. Text added to an incident or task that provides clarification or additional information.
- Attachment. A file that is uploaded and attached to an incident or task.
- Artifact. Data that supports or relates to the incident. The SOAR Platform organizes artifacts by type, such as file name, MAC address, suspicious URL, MD5 and SHA1 file hashes, and more. An artifact can also have an attachment, such as an email, log file, or malware sample.
- Milestone. A date for an important event within the incident timeline.
- Data Table. Field values organized in a tabular format.
- Email Message. An email message sent to the SOAR Platform for analysis.
The task object can also have notes and attachments as child objects.
The parent-child relationship is important in that you can access an object's child or parent object's data in a single transaction (an instance of a rule, script, or workflow). However, you need another transaction to access another object.
SOAR playbooks and use cases
This section defines four basic use cases and provides examples of existing apps that can be used in these scenarios.
- Monitoring and Escalation
When a significant event occurs, applications connect to the SOAR Platform to escalate incidents from email, SIEMs, ticketing systems, and other sources. They include artifacts such as IP addresses, file hashes, URLs, usernames, and system names.
The App Exchange contains two such apps, SOAR QRadar integration and SOAR Integration for Splunk.
- Identification and Enrichment
Automatic threat intelligence lookups, playbooks, or workflows and menu-driven actions deliver valuable context, reduce time to identify scope and impact, and enable a rapid, decisive response. Trigger sandbox evaluation and build playbooks to act on the results. Search logs and endpoints then make decisions based on the data. Include Configuration Management Database (CMDB) and directory information to help analysts make accurate assessment of severity and impact. Pivot on these critical data elements to dynamically adjust the way that your team responds.
- Containment, Response, and Recovery
Based on trigger conditions, or based on manual actions, the SOAR Platform can send notifications or initiate external activities to contain and adjust your security posture as a part of your response playbook. The Ansible® for Resilient® app is an example of this type of app.
- Communication and Coordination
By integrating beyond the SOC, users can coordinate a fast and effective incident resolution from the SOAR Platform. Integrate bi-directionally with ticketing and service management, smart notifications, communication platforms, and other business applications. Email is a good simple example of the communication and coordination aspect. See the description of the Outbound Email for Resilient app.