Skip to main content

Playbooks in the Automation Service

A playbook is a predefined set of actions and conditional statements that run in an automated workflow to respond to a certain event or incident type. Playbooks can allow your organization's teams to respond to an incident in a consistent, focused, and repeatable fashion.

Playbooks can be configured to execute automatically without user intervention, acting on information from the incident, or can be executed in interactive mode, where user input is required to authorize predefined actions.

To run a playbook, add it to an automation. For places in Sumo Logic where you can use add playbooks to automations, see Where you can run automations.

note

By default, no more than 50 playbook actions can be executed per hour. For more information, see Actions limit.

View playbooks

The following procedure describes how to view playbooks already installed in your environment. To add more playbooks, create a playbook, or install a playbook from App Central.

  1. Access the Automation Service.
  2. Click Playbook in the left navigation bar.
    The list of playbooks dipslays.
    Automation Playbook list
  3. Select a playbook to see the elements in the workflow.
    Opened playbook
  4. Click the elements in the playbook to see their details. For example, click actions (the boxes in the flow) to see the integration resources that provide the actions.
    Action example

Create a new playbook

Before you create your own playbook, first view playbooks to make sure there isn't one already that does what you want to accomplish, and also check to see if you can install a playbook from App Central that does what you need.

tip

The following procedure provides a brief introduction to how to create a playbook. For detailed examples of how to create playbooks, see the Cloud SIEM automation examples.

  1. Access the Automation Service.
  2. Click Playbook in the left navigation bar. Previous-created playbooks will display.
  3. Click the + button to the left of Playbook.
    New playbook button
  4. A new configuration box will be displayed. Name your new playbook.
    New playbook dialog
  5. Select the incident Type. (For example, for Cloud SIEM automations, select CSE. For playbooks run from inside another playbook, you can select another incident type to associate with it, for example, Denial of Service, Malware, Phishing, etc.)
  6. Click Save. The new playbook appears in the list of available playbooks.
  7. To configure the new playbook, select it from the list and click the Edit button at the bottom of the screen.
    New playbook
    Opening the playbook will present a black screen with a Start node and an End node. These nodes dictate the beginning and the end of the playbook's automation sequence. They can be dragged and dropped anywhere on the screen to allow for multiple integrations and conditional statements to be executed.
  8. To add the first node in the playbook, click the + on the Start node. The Add node page is displayed.
    Add node
    Choose from the following options:
    • Action: Automatically take specific actions such as enriching data or taking containment steps.
    • Condition: Use conditional statements to define what actions should be taken in response to previous inputs.
    • Playbook: Call other playbooks in response to conditional statements.

Add an action node to a playbook

An action node in a playbook runs an enrichment or notification operation. String actions together in the playbook to perform a workflow.

tip

For examples of adding actions to playbooks, see the Cloud SIEM automation examples.

info

Before you can add action nodes to a playbook, you must configure the connection for each integration resource that actions originate from.

  1. Either create a new playbook as described above, or edit an existing playbook.
  2. Click the + on the Start node.
    Start node
  3. The Add node page displays.
    Add node
  4. Select Action. The action node configuration screen displays.
    Add action node
  5. Give the node a Name that identifies the action being taken.
  6. Select the Type of action as Enrichment or Notification.
  7. Select the Action from the drop-down list. The dialog updates to show the integration resource that the action originates from, along with additional fields you must fill out to configure how you would like the action to be performed.
    Configure action node
  8. Fill out the fields with the specific information required by the action. For more information about the action, you can view the integration that provides the action.
  9. Once you have entered all the information requested, click Create. The action node is added to the playbook.
  10. Repeat the steps to add other action nodes.
  11. Add condition nodes if desired.
  12. When you are done configuring your playbook, click Save at the bottom of the window.
    Save the playbook
  13. When you are ready to allow the playbook to be used in automations, click the Publish button at the bottom of the playbook window.
    Publish the playbook

Add a condition node to a playbook

Define a conditional statement to be met before the next node can be executed.

tip

For examples of adding conditions to playbooks, see the Cloud SIEM automation examples.

  1. Either create a new playbook as described above, or edit an existing playbook.
  2. Click the + on the Start node.
    Start node
  3. The Add node dialog displays.
    Add node
  4. Select Condition. The condition node configuration dialog displays.
    Add condition node
  5. Click Create. The empty condition appears on the playbook.
  6. Draw a line from a previous action node to the new condition node. This is required to allow the condition to evaluate the output values from the previous action.
  7. Now that you've linked the condition to an action, hover the mouse over the condition node and click the edit button on the node to configure the condition settings.
    Edit a condition node
  8. The condition node configuration dialog displays again. Under Condition1, click Select a value.
    Select values for the condition
  9. Click Get Value and select from the drop-down menu whether the value will evaluate to true (bool), false (bool), or empty.
    Get values for the condition
  10. Under Get value from a previous action, select the value to feed into the condition. The example shows Get Devices and Playbook inputs that came from the previous action. (The condition must be linked by a line to the previous action node to receive outputs from the action.) Click the options from the previous action and select which output type (for example, hashes, IP addresses, domains) to evaluate and add it to the condition.
  11. The selected output type will be displayed under Condition 1. Select which condition you would like for the output results to meet from the inequality operators below and click Select a value to define the condition.
  12. Now that Condition 1 is defined, you can choose to filter your results further by selecting an AND/OR operator to define another condition.
  13. Click Update.
  14. When you create a new condition, you need to define what happens when their results meet one of your criteria. Draw lines to nodes to define the flow for success, failure, or other condition options.
Legal
Privacy Statement
Terms of Use

Copyright © 2023 by Sumo Logic, Inc.