This document explains how to create your first automation using the
actions you created in Create custom actions.
The playbook you'll build is for a basic phishing use case and automates the following steps:
Extract domain details: The playbook extracts the domain from a URL found in an alert.
Enrich the domain: It then enriches the entity with additional information.
Add an insight: The playbook adds an insight containing the domain's country.
Check a custom list: It checks if the country is on a custom list.
Use an IF condition: An IF condition is used to determine if the case requires further investigation based on whether the country is on the custom list.
Enable actions in the playbook designer
To make sure that the custom actions you created are enabled in the Integrated Developer Environment (IDE), click the Enable toggle to the on position. Once enabled, these actions are available in the playbook designer.
Create a custom list of OECD countries
To determine if a domain's country requires further investigation, you need to create a custom list of Organisation for Economic Co-operation and Development (OECD) countries. You can then use this list in your playbook to check against the domain's country.
To create a custom list of OECD countries, follow these steps:
Go to Settings > Environments.
Click Custom lists.
In the Custom lists section, click
add
Add.
In the Add Custom List dialog, enter and Entity Identifier, Category, and Environment.
Click Add.
Create an automation playbook
To create an automation playbook, follow these steps:
Go to Playbook Designer and
click addAdd.
In the Create New dialog, select the Playbook radio button.
Choose a folder and an environment for the playbook.
Enter a name for the playbook (next to the playbook toggle) to start
customizing your playbook.
Every playbook starts with a trigger. To set this playbook's trigger, drag the All trigger from the Triggers menu to the first step of the playbook. This causes the playbook to activate on every alert ingested into Google Security Operations.
Create a playbook
To create a playbook using the actions from your "WHOIS XML API" integration, follow these steps:
In the Actions tab, click the
WHOIS XML API list. Your custom actions will appear under the integration name. If they're not visible, confirm that they're enabled and saved in the IDE module.
Drag the Get Domain Details action into the playbook, placing it right after the trigger.
Customize the action
You can customize the action to run on a specific scope. In this example, run the action on all entities that are URLs. For the domain name field, use the Entity.Identifier placeholder.
To make these customizations, do the following:
Insert the placeholder: click data_arrayPlaceholder and search for
Entity.Identifier in the search bar. This action connects to
the "WHOIS" site, extracts the details of the Domain, and presents them in
JSON format.
Define the scope. The action connects to the "WHOIS" site, extracts domain details, and presents them in JSON format.
Check availability. The Check Availability parameter you defined for the action checks if the domain is available or not.
After adding the Get Domain Details action, drag the Enrich Entities action into your playbook. Customize it to run on All URLs. Because you designed this action to operate on a specific entity scope, you don't need to define the Domain name field, as you did with the previous action.
Add the Entity Insight action
Add the Add Entity Insight action which is part
of the Google SecOps Integration:
Define the scope. For the Entity scope, select All URLs, as you did for the previous actions in the playbook.
Extract the JSON field. In the Insight field, open the Google SecOps Expression builder to extract the country field from the JSON result.
Open the expression builder for the JSON output: Click the placeholder icon (data_array), choose the playbook list, and select WHOIS XML API_Get Domain Details_1.JsonResult. This opens the expression builder for the JSON output.
Extract the country field from the JSON
The JSON sample in the expression builder is the same one you inserted in the IDE for Create your custom action. To extract the `Country` field, follow these steps:
Click Country in the JSON.
Click arrow_right Run to test the placeholder, and view the result under the Results field.
Create an entity
To run the Is in custom list action, you need to create a new entity from the country related to the domain. To do this, follow these steps:
From Google SecOps Integration, drag the Create Entity action
into the playbook.
Configure the action to run on All URLs.
Use the expression builder to insert the country placeholder in the Entity Identifies
field. For the Entity Type, choose Generic Entity and click Save.
Add the Is in Custom List action:
Drag the action into the playbook.
Configure it to run on all generic entities (the entity you just created).
For the Category, add the category you configured for your custom list of OECD countries.
Add the IF condition to your playbook to determine
whether the domain's country requires further investigation. The first branch checks if the script
result for the Is in Custom list returned a false result and the Else
branch will go to the opposite result.
Add the IF Condition action to your playbook. Two branches appear.
Customize the first branch. The first branch executes if the Is in Custom List action returns a false result. This means the domain's country is not in your custom list of OECD countries and requires further investigation.
For the first action in this branch, drag a Case Tag action from the Google SecOps integration.
Assign the case to a higher tier
Assign the case to a higher tier to further
investigate this case. To do this, follow these steps:
Drag the Assign Case action to the playbook.
Choose @Tier2 as the Assigned User.
Change the priority
Change the priority to High using
the Google SecOps Change Priority action > click Save.
Customize the Else branch
After finishing the first branch, you can customize the Else branch.
This branch handles cases where the domain's country is an OECD country, which you've decided doesn't require further investigation. To configure the Else branch, follow these steps:
Add a case tag, as you did in the first branch, with the label In OECD countries.
Add a Close Case action to this branch. Because closing a case is a sensitive action, you should configure it to run manually. In the Settings section of the action, select Manual mode.
In the Parameters section of the Close Case action, add the Reason, Root Cause, and Comment.
Click Save to save the playbook with the added parameters.
View the playbook execution
To see your customized automation in action, follow these steps:
In Cases, click
add
Add>Simulate Cases.
Select Phishing Email case > click Create.
Select the Environment> click Simulate to simulate the playbook execution.
View the playbook running on the alert and see the results of each action in the playbook.
[[["Easy to understand","easyToUnderstand","thumb-up"],["Solved my problem","solvedMyProblem","thumb-up"],["Other","otherUp","thumb-up"]],[["Hard to understand","hardToUnderstand","thumb-down"],["Incorrect information or sample code","incorrectInformationOrSampleCode","thumb-down"],["Missing the information/samples I need","missingTheInformationSamplesINeed","thumb-down"],["Other","otherDown","thumb-down"]],["Last updated 2025-09-07 UTC."],[[["\u003cp\u003eThis article guides you through creating your first automation playbook in Google SecOps SOAR, building upon actions developed in a previous guide.\u003c/p\u003e\n"],["\u003cp\u003eThe playbook focuses on a phishing use case, extracting domain details from URLs, enriching them, and checking if the domain's country is in a custom list of OECD countries.\u003c/p\u003e\n"],["\u003cp\u003eYou'll learn how to utilize triggers, integrate custom actions from a "WHOIS XML API" integration, and leverage built-in actions like "Enrich Entities" and "Add Entity Insight".\u003c/p\u003e\n"],["\u003cp\u003eThe playbook incorporates an IF condition to determine whether a case requires further investigation based on the domain country's presence in the custom list, automating case tagging, assignment, and prioritization.\u003c/p\u003e\n"],["\u003cp\u003eThe process demonstrates how to configure actions to run automatically or manually, allowing for analyst intervention in sensitive operations like closing a case.\u003c/p\u003e\n"]]],[],null,["Create your first automation \nSupported in: \nGoogle secops [SOAR](/chronicle/docs/secops/google-secops-soar-toc) \n\nThis document explains how to create your first automation using the\nactions you created in [Create custom actions](/chronicle/docs/soar/respond/start-developing/my-first-action).\n\nThe playbook you'll build is for a basic phishing use case and automates the following steps:\n\n- **Extract domain details**: The playbook extracts the domain from a URL found in an alert.\n- **Enrich the domain**: It then enriches the entity with additional information.\n- **Add an insight**: The playbook adds an insight containing the domain's country.\n- **Check a custom list**: It checks if the country is on a custom list.\n- **Use an **IF** condition** : An **IF** condition is used to determine if the case requires further investigation based on whether the country is on the custom list.\n\nEnable actions in the playbook designer\n\nTo make sure that the custom actions you created are enabled in the Integrated Developer Environment (IDE), click the **Enable** toggle to the on position. Once enabled, these actions are available in the playbook designer.\n\nCreate a custom list of OECD countries\n\nTo determine if a domain's country requires further investigation, you need to create a custom list of Organisation for Economic Co-operation and Development (OECD) countries. You can then use this list in your playbook to check against the domain's country.\n\nTo create a custom list of OECD countries, follow these steps:\n\n1. Go to **Settings \\\u003e Environments**.\n2. Click **Custom lists**.\n3. In the **Custom lists** section, click add **Add**.\n4. In the **Add Custom List** dialog, enter and **Entity Identifier** , **Category** , and **Environment**.\n5. Click **Add**.\n\nCreate an automation playbook\n\nTo create an automation playbook, follow these steps:\n\n1. Go to **Playbook Designer** and click add**Add**.\n2. In the **Create New** dialog, select the **Playbook** radio button.\n3. Choose a folder and an environment for the playbook.\n4. Enter a name for the playbook (next to the playbook toggle) to start customizing your playbook.\n\nImport a premade playbook\n\nTo import a premade playbook, follow these steps:\n\n1. In the **Playbook Designer** , click format_list_bulleted**List** \\\u003e login **Import** . \n [Create my first automation playbook](/static/chronicle/docs/soar/respond/start-developing/my-first-automation-playbook_v3.zip)\n2. Every playbook starts with a trigger. To set this playbook's trigger, drag the **All** trigger from the **Triggers** menu to the first step of the playbook. This causes the playbook to activate on every alert ingested into Google Security Operations.\n\nCreate a playbook\n\n\nTo create a playbook using the actions from your \"WHOIS XML API\" integration, follow these steps:\n\n1. In the **Actions** tab, click the **WHOIS XML API** list. Your custom actions will appear under the integration name. If they're not visible, confirm that they're enabled and saved in the IDE module.\n2. Drag the **Get Domain Details** action into the playbook, placing it right after the trigger.\n\nCustomize the action\n\nYou can customize the action to run on a specific scope. In this example, run the action on all entities that are URLs. For the domain name field, use the `Entity.Identifier` placeholder.\n\nTo make these customizations, do the following:\n\n1. Insert the placeholder: click data_array **Placeholder** and search for `Entity.Identifier` in the search bar. This action connects to the \"WHOIS\" site, extracts the details of the Domain, and presents them in JSON format.\n2. Define the scope. The action connects to the \"WHOIS\" site, extracts domain details, and presents them in JSON format.\n3. Check availability. The **Check Availability** parameter you defined for the action checks if the domain is available or not.\n4. After adding the **Get Domain Details** action, drag the **Enrich Entities** action into your playbook. Customize it to run on All URLs. Because you designed this action to operate on a specific entity scope, you don't need to define the **Domain name** field, as you did with the previous action.\n\nAdd the Entity Insight action\n\n\nAdd the **Add Entity Insight** action which is part\nof the Google SecOps Integration:\n\n1. Define the scope. For the **Entity** scope, select **All URLs**, as you did for the previous actions in the playbook.\n2. Extract the JSON field. In the **Insight** field, open the **Google SecOps Expression builder** to extract the country field from the JSON result.\n3. Open the expression builder for the JSON output: Click the placeholder icon (`data_array`), choose the playbook list, and select `WHOIS XML API_Get Domain Details_1.JsonResult`. This opens the expression builder for the JSON output.\n\nExtract the country field from the JSON\n\nThe JSON sample in the expression builder is the same one you inserted in the IDE for [Create your custom action](/chronicle/docs/soar/respond/start-developing/my-first-action). To extract the \\`Country\\` field, follow these steps:\n\n1. Click **Country** in the JSON.\n2. Click arrow_right **Run** to test the placeholder, and view the result under the **Results** field.\n\nCreate an entity\n\nTo run the **Is in custom list** action, you need to create a new entity from the country related to the domain. To do this, follow these steps:\n\n1. From **Google SecOps Integration** , drag the **Create Entity** action into the playbook.\n2. Configure the action to run on **All URLs**.\n3. Use the expression builder to insert the `country` placeholder in the **Entity Identifies** field. For the **Entity Type** , choose **Generic Entity** and click **Save**.\n4. Add the **Is in Custom List** action:\n 1. Drag the action into the playbook.\n 2. Configure it to run on all generic entities (the entity you just created).\n 3. For the **Category**, add the category you configured for your custom list of OECD countries.\n5. Add the **IF condition** to your playbook to determine whether the domain's country requires further investigation. The first branch checks if the script result for the **Is in Custom list** returned a false result and the **Else** branch will go to the opposite result.\n - Add the **IF Condition** action to your playbook. Two branches appear.\n6. Customize the first branch. The first branch executes if the **Is in Custom List** action returns a false result. This means the domain's country is not in your custom list of OECD countries and requires further investigation.\n7. For the first action in this branch, drag a **Case Tag** action from the Google SecOps integration.\n\nAssign the case to a higher tier\n\nAssign the case to a higher tier to further\ninvestigate this case. To do this, follow these steps:\n\n1. Drag the **Assign Case** action to the playbook.\n2. Choose **@Tier2** as the **Assigned User**.\n\nChange the priority\n\nChange the priority to **High** using\nthe **Google SecOps Change Priority** action \\\u003e click **Save**.\n\nCustomize the Else branch\n\nAfter finishing the first branch, you can customize the **Else** branch.\nThis branch handles cases where the domain's country is an OECD country, which you've decided doesn't require further investigation. To configure the **Else** branch, follow these steps:\n\n1. Add a case tag, as you did in the first branch, with the label **In OECD countries**.\n2. Add a **Close Case** action to this branch. Because closing a case is a sensitive action, you should configure it to run manually. In the **Settings** section of the action, select **Manual** mode.\n| **Note:** This requires an analyst's response before the action can be executed.\n3. In the **Parameters** section of the **Close Case** action, add the **Reason** , **Root Cause** , and **Comment**.\n4. Click **Save** to save the playbook with the added parameters.\n\nView the playbook execution\n\nTo see your customized automation in action, follow these steps:\n\n1. In **Cases** , click add **Add** \\\u003e **Simulate Cases**.\n2. Select **Phishing Email** case \\\u003e click **Create**.\n3. Select the **Environment** \\\u003e click **Simulate** to simulate the playbook execution.\n4. View the playbook running on the alert and see the results of each action in the playbook.\n\n**Need more help?** [Get answers from Community members and Google SecOps professionals.](https://security.googlecloudcommunity.com/google-security-operations-2)"]]
