Use actions in playbooks

Supported in:

Actions are the next set of components that you can define for a playbook. Each action is categorized under an integration in the system. They include tasks or actions to be performed by the playbook.
For example, you can assign an analyst to a case, or in case of an external product integration (for example, Trellix ePO product), you can set an action to update the Trellix Agent. For each integration, there's a list of sub-actions.

To use the required Actions, make sure you have the integrations downloaded and configured from the Google Security Operations Marketplace. For more information about integrations, see Configure integrations.

When the playbook runs, each action will return information that can include the following:

  • Output message, tables, attachments, links, JSON
  • Script result (only valid within the playbook itself)
    You can see this information on the case wall or in the right panel of the case screen.

Glossary of terms used within actions

  • Parameters: Input of some type including text or placeholder (Google SecOps variable), or list options.
    • Placeholders: Google SecOps variable which will be populated at running time. For more information about parameters and placeholders, see Use the Expression Builder.
  • Enrichment:  Gathers more information and attributes on an entity. Learn more about using Enrichment..
  • Script Result: Google SecOps-defined return value of an action.
  • JSON Result: Raw data that the action returns.
  • Expression Builder: Enables manipulating JSON results and extracting specific data to use in Playbook actions. See Using the Expression Builder for more information.

Add an action

To add an action to the playbook:

  1. In the Playbooks screen, click Add Step.
  2. In the Step Selection tab, select the Actions section.
  3. In the Actions section, click the down arrow next to an integration name and select the action item. In this example, select Email > Send Email.
  4. Drag the Send Email item to Drag a step over here or to the blue dots between existing actions.
  5. Double-click to open the sidebar. The sidebar shows the name and description of the action as well as the action result as shown by the Output Name. For this procedure, pretend you are in the middle of a DLP Use Case playbook and fill out the fields accordingly. 
  6. Choose the Instance to use for this playbook. For more information on Instances, refer to Working with Instances.
  7. Specify which entities the action will run on.
  8. Specify the email recipient for this action. For this example, add an Entity Identifier placeholder.
    To add a placeholder:
    1. In the Recipients field, click the placeholder icon ([ ])  
    2. In the Placeholder Selection, select Object > Entity.Property > Identifier.
    3. Click OK.
  9. Click Save. The action is saved as Action name_Sub Action name.

Assign Actions

You can assign Actions or Playbook blocks to a specific user/SOC role in the Playbook Designer. The Assignee decides the outcome of the Manual Action or Playbook Block for the Playbook run. You have the option to include a message about the action that needs to be taken by the Assignee. You can also enable Time to respond and add in the time they have to complete the action. The timer starts the countdown from when the playbook reaches that part of the flow. For more information, see Assigning Actions and Playbook blocks.

To assign an Action in a Playbook: 

  1. Double-click on the required Action in the Playbook. 
  2. Select Manual from the Action Type list.
  3. Select the user/SOC role from the Assign To list.
  4. Add a message explaining what needs to be done. You have the option to insert a Placeholder in your message. This message is displayed to the user in the Pending Actions widget on their Homepage and in the Cases Overview. 
  5. Optionally,  enable Time to respond and enter the time that the Action needs to be completed by.
    Note that if the user doesn't respond in the time selected here, you can choose to use the If Step fails together with If previous action fails in the next Playbook conditional step in order to control the flow.
  6. Click Save.

After a Playbook is triggered, usually following an Alert being ingested into the platform, it runs until it gets to the Manual Action.  This action appears in the Case Overview > Pending Actions widget and in the Homepage and the user needs to execute or skip the action. 

Enrichment

Enrichment is additional data collected on an entity (such hosts, IPs, and artifacts).

Click an entity on the Cases tab, to can see all the existing attributes that belong to an entity. These attributes, also known as "enrichment" parameters can also be used in placeholders. If you find you are missing attributes on an entity, you can use an Action to execute enrichment on an entity. In a later section we'll use a procedure to get more information on a User in Google SecOps. 

  1. Go to the Cases screen and highlight a specific case.
  2. Click  Manual Action located on the right side under the Case Top Bar. The Manual Actions dialog opens.
  3. Select Google Workspace > Enrich Entities, and then select a specific entity. In this example, select the user Javiers. Click Execute. Once the green arrow appears, close this box.
  4. In Entities Highlights, click the entity Javiers. A new Entity Explorer screen appears. Scroll to display the person that Javiers reports to.
  5. Return to the main Case screen. All the enrichment attributes are now in the Google SecOps platform and are treated as entities in and of themselves. For example, the person that Javiers reports to now can be chosen as an entity. This will be shown in the Create a new Entity procedure in the next section.

Entity

The analyst will choose the required entity when building the Playbook. There are different sets of entities that the Action will run on. You can also choose to add new entity sets. 

To create a new entity for a single Playbook:

  1. In the Actions column, select Flow > Entity Selection, and drag it into the Final Box.
  2. Click Entity Selection.
  3. Select the required entity parameters.  In this example, we will select the Reports To entity (that is now populated in the system due to the Enrichment Action we ran earlier). And have it equals to Director. Click Save.
  4. The new entity set is saved under the name Entity_Selection_1. and is available for use when choosing any new entity in the specific Playbook. Note that if you create several new Entity Selections – they will be named according to ascending numbers after the underscore.

Copy, Cut, Paste and Delete Actions

  • Place the cursor on the required step and right-click to Cut/Copy/Delete/Paste. You can copy and paste steps within the current playbook or in another one.
  • To select multiple steps, press the Shift key and left-click while highlighting the required steps. Then place your cursor over one of the steps and right-click to Copy/Cut/Delete/Paste.
  • Double-click on a step to open the step configuration.

Re-running an Action

The Playbook builder might have designated a Playbook to stop if an Action fails. If this happens, select the failed Action and an error message will appear. This gives you the chance to correct a parameter that you might have mistakenly entered and then you can re-run the action.

Need more help? Get answers from Community members and Google SecOps professionals.