Using Actions in Playbooks
Actions are the next set of components that you can define for a playbook. Each action is categorized under an Integration in the system. They include tasks or actions to be performed by the playbook.
For instance, you can assign an analyst to a case, or in case of an external product integration (for example, Trellix ePO product), you can set an action to update the Trellix Agent. For each Integration, there is a list of sub-actions.
In order to use the required Actions, you need to make sure you have the Integrations downloaded and configured from the Google Security Operations Marketplace. Refer to Configure Integrations for more information.
When the playbook runs, each action will return information that can include the following:
- Output message, tables, attachments, links, JSON (these will be displayed on the screen)
- Script result (only valid within the Playbook itself)
You can see this information either in the Case Wall or in the right side panel of the Case screen.
Glossary of Terms used within Actions
- Parameters: Input of some type including text and/or placeholder (Google Security Operations variable), drop-down options, etc.
- Placeholders: Google Security Operations variable which will be populated at running time. See here for further information on Parameters and Placeholders.
- Enrichment: Gathers more information and attributes on an entity. See below for further information on using Enrichment.
- Script Result: Google Security Operations defined return value of an Action.
- JSON Result: Raw data that the Action returns.
- Expression Builder: Enables manipulating JSON results and extracting specific data to use in Playbook actions. See Using the Expression Builder for more information.
Adding an Action
To add an action to the playbook:
- In the Playbooks screen, click Add Step.
- In the Step Selection tab, select the Actions section.
- In the Actions section, click on the down arrow next to an Integration name and select the action item. In this example, select Email > Send Email.
- Drag and drop to the Send Email item to Drag a step over here or to the blue dots between existing actions.
- Double click to open the sidebar. The sidebar shows the name and description of the Action as well as the Action result as shown by the Output Name. For this procedure, we will pretend we are in the middle of a DLP Use Case Playbook and fill out the fields accordingly.
- Choose the Instance to use for this Playbook. For more information on Instances, refer to Working with Instances
- Specify which entities the Action will run on.
- Specify the email recipient for this action. For this example, we will add an Entity Identifier placeholder.
To add a placeholder:- In the Recipients field, click the placeholder icon ([])
- In the Placeholder Selection, select Object > Entity. Property > Identifier.
- Click OK.
- Click Save. The Action is saved as the Action name underscore Sub Action name.
Assign Actions
You can assign Actions or Playbook blocks to a specific user/SOC role in the Playbook Designer. The Assignee decides the outcome of the Manual Action or Playbook Block for the Playbook run. You have the option to include a message about the action that needs to be taken by the Assignee. You can also enable Time to respond and add in the time they have to complete the action. The timer starts the countdown from when the playbook reaches that part of the flow. For more information, see Assigning Actions and Playbook blocks.
To assign an Action in a Playbook:
- Double click on the required Action in the Playbook.
- Select Manual from the Action Type list.
- Select the user/SOC role from the Assign To list.
- Add a message explaining what needs to be done. You have the option to insert a Placeholder in your message. This message will be displayed to the user in the Pending Actions widget on their Homepage and in the Cases Overview.
- Optionally, enable Time to respond and enter the time that the Action needs to be completed by.
Note that if the user does not respond in the time selected here you can choose to use the If Step fails together with If previous action fails in the next Playbook conditional step in order to control the flow. - Click Save.
After a Playbook is triggered, usually following an Alert being ingested into the platform, it runs until it gets to the Manual Action. This action appears in the Case Overview > Pending Actions widget and in the Homepage and the user needs to execute or skip the action.
Enrichment
As defined above, enrichment is additional data collected on an entity (hosts, IPs, artifacts, etc.)
By clicking on an entity on the Cases tab, you can see all the existing attributes that belong to an entity. These attributes, also known as "enrichment" parameters can also be used in placeholders. If you find you are missing attributes on an entity, you can use an Action to execute enrichment on an entity. Below we will use a simple procedure to get more information on a User in Google Security Operations.
- Navigate to the Cases screen and highlight a specific case.
- Click the icon located on the right side under the Case Top Bar. The Manual Actions dialog box opens.
- Select Google Workspace > Enrich Entities. And then select a specific entity. In this example, we will select the user Javiers. Click Execute. Once the green arrow appears, close this box.
- In the Entities Highlights, click on the entity Javiers. A new Entity Explorer screen appears. Scrolling down displays the person that Javiers reports to.
- Return to the main Case screen. All the enrichment attributes are now in the Google Security Operations SOAR platform and are treated as entities in and of themselves. For example, the person that Javiers reports to now can be chosen as an entity. This will be shown in the Create a new Entity procedure below.
Entity
The analyst will choose the required entity when building the Playbook. There are different sets of entities that the Action will run on. You can also choose to add new entity sets.
To create a new entity for a single Playbook:
- In the Actions column, select Flow > Entity Selection, and drag and drop it into the Final Box.
- Click on Entity Selection.
- Select the required entity parameters. In this example, we will select the Reports To entity (that is now populated in the system due to the Enrichment Action we ran above). And have it equals to Director. Click Save.
- The new entity set is saved under the name Entity_Selection_1. and is available for use when choosing any new entity in the specific Playbook. Note that if you create several new Entity Selections – they will be named according to ascending numbers after the underscore.
Copy, Cut, Paste and Delete Actions
- Place the cursor on the required step and right click to Cut/Copy/Delete/Paste. You can copy and paste steps within the current playbook or in another one.
- To select multiple steps, press the Shift key and left click while highlighting the required steps. Then place your cursor over one of the steps and right click to Copy/Cut/Delete/Paste.
- Double click on a step to open the step configuration.
Re-running an Action
The Playbook builder might have designated a Playbook to stop if an Action fails. If this happens, click on the failed Action and an error message will display. This gives you the chance to correct a parameter that you might have mistakenly entered and then you can Re-Run the action.