Using Flows in Playbooks
The Flow component determines the next steps of a playbook by forcing the flow into decisions. This is executed by utilizing a branching system.
The following Flow options are available:
- Condition: This is based on complex conditions (based on placeholders) including existing case data and the Previous Actions flow.
- Multi Choice Question: This involves questions that must be answered by analysts manually.
- Previous Actions Conditions: This is based on data fetched by previous actions that were executed in this playbook.
To add a Condition flow:
- In the Playbooks screen, click Open Step Selection.
- Select the Flow section of the Step Selection box.
- Drag and drop the Condition into the step or between two actions depending on how you are building your Playbook.
- Double click on the Condition to open the dialog box.
- Select the required Entities.
- Decide how many branches you want to create. Each branch has an OR between them.
-
Select the parameter(s) for each branch.
To add a parameter:- Select the required event/case/alert parameters or enriched data that is in your Google Security Operations platform. (Note that for new users this will be empty if you have not ingested any alerts yet).
- Select the required operator: Equals to/Does not equal to. Contains/Does not contain. Starts with. Greater than/Smaller than.
-
Choose a value.
For this specific example, we will choose three branches (where the third branch is the Branch 'Else' Default Branch.)
In Branch 1, we have blocked alerts or alerts without a threat signature, then do X (where X is whatever the next step of the Playbook is).
In Branch 2, we have alerts that are allowed and whose threat signature is not empty.
In Branch 3, we have the default "Else" branch.
- Define a "fallback branch" to avoid failed conditions. If a condition is based on previous actions, and one of those actions failed (and skipped), the condition will continue to the fallback branch instead of stopping.
-
Click Save. The playbook now takes three branches: 1, 2 and E (Else). You
would need to decide what the outcome is for at least ONE of the branches in
order for the Playbook to be considered as complete. In order to choose a
Fallback branch, see the procedure below.
Branch 1: Logical Operator set to
Or.
Alert.CategoryOutcome =
Blocked
Alert.ThreatSignature [] Empty
Branch 2: Logical Operator set to
And
Alert.CategoryOutcome =
Allowed
Alert. ThreatSignature ![] NotEmpty
To add a Multi Choice Question flow:
- Drag and drop the Multi Choice Questions into the Final Step box.
- Click on the Multi Choice Questions to open the dialog box.
- Add in a question and as many answers as you need.
- Click Save. The playbooks now opens up four branches. You need to decide what the outcome is for at least ONE of the branches in order for the Playbook to be considered as complete.
To add a Previous Actions Conditions flow:
- Drag and drop the Previous Actions Conditions into the Final Step box.
- Click on the Previous Actions Conditions to open the dialog box.
-
Decide how many branches you want to create. Each branch has an OR between
them.
To add a parameter:- Select the required parameter. Note that the drop-down will only show you the Actions script results that are part of this Playbook.
- Select the required operator: Equals to/Does not equal to. Contains/Does not contain. Starts with. Greater than/Smaller than.
- Choose the value (the action result).
-
You can add more parameters to each branch and choose the Logical
Operator: AND or OR.
- Click Save. The Playbook now opens three branches: 1, 2, and Else. You would need to decide what the outcome is for at least ONE of the branches in order for the Playbook to be considered as complete.
To define a Fallback branch:
-
In one of the Flows (Condition or Previous Actions Condition), select the
branch that will be used as a fallback branch. Is this example, we have
selected the Branch
–
not risky.
Note that it is not mandatory to add a fallback branch.
-
Once the Playbook runs, and the previous actions fail, the Playbook will
choose the fallback branch and continue.
Removing a Flow
When removing a flow from within a Playbook, the system will ask you whether you want to remove the entire branch or just one aspect of it.
Merge Branches
You can merge different branches of the Playbook into one branch. This is done by dragging an action from one of the branches and dropping it into the Final Step of another branch. The Playbook can continue after this or end here.