Working with Playbook Blocks
Blocks are mini playbooks that users can create and reuse in other playbooks.
The Blocks can implement workflows and logical decisions that might be useful
in multiple playbooks. When you edit or change a Block, all playbooks using it
will be affected which allows easy maintenance and playbooks improvement.
When
Blocks are used within other playbooks, users can configure Input parameter
fields into the Block to alter its inner flow of actions.
The Block can
also return an Output value into the parent playbook to allow interaction and
conditioning between the two.
Before you create these blocks, it's advisable to spend time initially to map out specific processes that you can easily reuse in parent playbooks, as well as giving thought to Input fields which can be configured per need.
The screenshot below provides an example of a reusable Playbook Block.
To add a new block:
- In the Playbook screen, click on the icon and choose the folder and the environment and click Create. We recommend that Admin users click All Environments as best practice.
-
In the screen that opens, fill out the name of the new Playbook Block at the
top of the screen. For this example, we will create a Block that handles all
communication between the SOC and its clients.
- Let's start off by adding Input parameters. Double click on the Input box and then click on the icon to add the input name and value fields. You can add as many fields as you need. Enter the following for the name and default values in the fields and then, click Save:
- Communication Type – Require Approval (where we have decided we will have two different communication types: Require Approval, Investigate)
- Communication Method – Email
-
Additional Message – leave blank
We will use these inputs to condition the flow of the Block.
If we add values here, they will act as default values. Note that they can be changed for each and every block after you have inserted them into the parent playbook.
-
Let's now add a Flow step which will direct the Playbook in a
different direction according to which Input Type is entered.
The types as we mentioned above are:
Investigate
Requires Approval
Now let's put these into different branches. Use the placeholders to pick up the Input types. As you can see in the following screenshot, we have two branches and an Else branch. The default branch which would go with the default Input is branch 1.
- The next stage would be to build action steps for each of the branches.
- Let's start with branch 1 which is the Require Approval branch. In the Actions column, select Email > Send Email and fill in the required parameters. This step sends an email asking the user for approval for a security analyst to perform Remediation on their machine.
- In the next step, select Flow > Condition and fill in the required parameters. This step asks if the customer approved or not.
- In the Output step where the customer approved it, add the word Approved to be returned to the parent block.
-
In the Output step of the Else branch, where the customer responded
negatively, add Not Approved in the Output box.
-
Let's move onto the second branch. In this sequence we are defining
what would happen if the Input Communication Type is Investigate. In the
Actions column, select Email > Send Email and fill in the required
parameters. In the screenshot below, you can see that we added the
placeholder for the Additional Message. Make sure that you actually write a
message in the Input Additional Message field if you change the Type to
Investigate.
-
In the next step, select Siemplify > Assign Case. Here we are going
to put the responsibility for investigating the case over to the Customer to
get his Tier 1 analyst to look at it.
-
In the next step, select Siemplify > Change Case Stage. This step
presumes that we have received confirmation that the Customer is
investigating and therefore we are changing the Case stage to
Investigation.
-
In the next step, select Siemplify > Assign case. This step assumes
that the customer has finished investigation and has asked the SOC to
reclaim ownership of the case.
-
In the next step, select Siemplify > Change Case Stage. This step
now changes the case stage from Investigation to Assessment so that the SOC
can carry on with his handling the case.
-
In the Output step, add the word Investigation Completed to be returned to
the parent playbook.
This block can now be inserted into various Playbooks.
To insert an existing block:
-
In the Playbooks screen, click Add Step.
-
In the Step Selection box, select the Blocks section.
- Drag the required block into the middle of the Playbook.