You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: docs/platform-services/automation-service/playbooks/create-playbooks.md
+92-17Lines changed: 92 additions & 17 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -76,12 +76,12 @@ Before you can add action nodes to a playbook, you must [configure the connectio
76
76
1. Give a **Node name** that identifies the action being taken.
77
77
1. Select **Manual execution** if the node will require manual intervention to run. For example, an analyst may need to add information before executing the node.
78
78
1. Select the [**Integration**](/docs/platform-services/automation-service/automation-service-integrations/) to supply the action for the node.
79
-
1. Select the **Type** of action:
80
-
***Containment**. Performs some sort of response or remediation action, such as resetting a user's password or blocking a domain on your firewall.
81
-
***Custom**. Performs an action defined in a custom action YAML file. For an example of a custom action created for Cloud SIEM, see [Advanced example: Configure a custom integration](/docs/cse/automation/cloud-siem-automation-examples/#advanced-example-configure-a-custom-integration).
82
-
***Enrichment**. Enriches data with additional information, such as adding information about a known malicious IP address.
83
-
***Notification**. Sends a notification, for example, an email or a post in a messaging service.
84
-
***Scheduled**. Runs an action on a schedule once the playbook starts. For example, the action regularly checks a condition, and once the condition is met, the next playbook actions are executed.
79
+
1. Select the **Type** of action (see [Action types](#action-types) for more information):
80
+
***Containment**
81
+
***Custom**
82
+
***Enrichment**
83
+
***Notification**
84
+
***Scheduled**
85
85
:::note
86
86
The **Type** drop-down menu shows only the action types available in the selected integration.
87
87
:::
@@ -200,31 +200,106 @@ A filter node filters results from the preceding action based on the condition y
200
200
201
201
## Action types
202
202
203
-
Every integration contains actions you can perform to help with incident remediation, such as sending notifications, adding additional information (enrichment), containment, and so on. Following are the available action types:
204
-
***Containment**. Performs some sort of response or remediation action, such as resetting a user's password or blocking a domain on your firewall.
205
-
***Custom**. Performs an action defined in a custom action YAML file. For an example of a custom action created for Cloud SIEM, see [Advanced example: Configure a custom integration](/docs/cse/automation/cloud-siem-automation-examples/#advanced-example-configure-a-custom-integration).
206
-
***Enrichment**. Enriches data with additional information, such as adding information about a known malicious IP address.
207
-
***Notification**. Sends a notification, for example, an email or a post in a messaging service.
208
-
***Scheduled**. Runs an action on a schedule once the playbook starts. For example, the action regularly checks a condition, and once the condition is met, the next playbook actions are executed.
203
+
Every [automation integration](/docs/platform-services/automation-service/app-central/integrations/) contains different types of actions you can perform to help with incident remediation, such as sending notifications, adding additional information (enrichment), containment, and so on. Following are the different types of actions available in integrations:
204
+
*[**Containment**](#containment). Performs some sort of response or remediation action, such as resetting a user's password or blocking a domain on your firewall.
205
+
*[**Custom**](#custom). Performs an action defined in a custom action YAML file.
206
+
*[**Enrichment**](#enrichment). Enriches data with additional information, such as adding information about a known malicious IP address.
207
+
*[**Notification**](#notification). Sends a notification, for example, an email or a post in a messaging service.
208
+
*[**Scheduled**](#scheduled). Runs an action on a schedule once the playbook starts. For example, the action regularly checks a condition, and once the condition is met, the next playbook actions are executed.
209
209
210
-
Every action in an integration is assigned an action type. If you take a look at the [Automation Integrations in App Central](/docs/platform-services/automation-service/app-central/integrations/), you'll see each has a list of available actions with the type of action listed for each. For example, here are some of the actions in the [Sumo Logic Cloud SIEM](/docs/platform-services/automation-service/app-central/integrations/sumo-logic-cloud-siem/) integration:
210
+
Every action in an integration is assigned an action type. If you take a look at the [Automation Integrations in App Central](/docs/platform-services/automation-service/app-central/integrations/), you'll see each has a list of available actions with the type of action listed for each. For example, here are some of the actions in the Sumo Logic Cloud SIEM integration:
211
211
***Get Entity***(Enrichment)* - Get Entity details.
212
212
***Add Network Block***(Containment)* - Add an address into the Network Blocks.
213
213
***Add Comment To Insight***(Notification)* - Add a comment to an existing Insight.
214
214
***Check Insight Status Schedule***(Scheduled)* - Schedule action that periodically checks if the Insight is closed.
215
215
216
+
To use one of these actions, start by adding an action node to a playbook, then select the integration, the action type, and the action. See the next section to learn how.
217
+
216
218
### Select the action type
217
219
218
220
When you [Add an action node to a playbook](#add-an-action-node-to-a-playbook), you select the type of action to perform from the integration.
219
221
220
222
1. Either [create a new playbook](#create-a-new-playbook), or edit an existing playbook.
221
223
1. Hover your mouse over an existing node, such as the **Start** node, and click on the **+** button that appears.<br/><img src={useBaseUrl('img/cse/automations-start-node.png')} style={{border:'1px solid gray'}} alt="Start node" width="100"/><br/>
1. Select **Action**. The action node configuration screen displays.
224
-
1. In the **Integration** field, select the integration you want to use. In this example, we've selected the Sumo Logic Cloud SIEM integration:<br/><img src={useBaseUrl('img/platform-services/automation-service/sumo-logic-cloud-siem-integration-selected.png')} alt="Sumo Logic Cloud SIEM integration selected in the Add Node dialog" style={{border:'1px solid gray'}} width="400"/>
225
-
1. Click the **Type** field to select the type of action you want to perform. The drop-down menu shows only the action types available in the selected integration:<br/><img src={useBaseUrl('img/platform-services/automation-service/action-types-on-cloud-siem-integration.png')} alt="Action types on Sumo Logic Cloud SIEM integration" style={{border:'1px solid gray'}} width="400"/>
225
+
1. Select **Action**.
226
+
1. In the **Integration** field, select the integration you want to use. In this example, we've selected the [Sumo Logic Cloud SIEM](/docs/platform-services/automation-service/app-central/integrations/sumo-logic-cloud-siem/) integration:<br/><img src={useBaseUrl('img/platform-services/automation-service/sumo-logic-cloud-siem-integration-selected.png')} alt="Sumo Logic Cloud SIEM integration selected in the Add Node dialog" style={{border:'1px solid gray'}} width="400"/>
227
+
1. Click the **Type** field to select the type of action you want to perform. The drop-down menu shows only the types available in the selected integration:<br/><img src={useBaseUrl('img/platform-services/automation-service/action-types-on-cloud-siem-integration.png')} alt="Action types on Sumo Logic Cloud SIEM integration" style={{border:'1px solid gray'}} width="400"/>
226
228
1. Click the **Action** field to select the action to run in the playbook. Only actions of that type in the integration are listed:<br/><img src={useBaseUrl('img/platform-services/automation-service/enrichment-actions-on-cloud-siem.png')} alt="Enrichment actions on Sumo Logic Cloud SIEM integration" style={{border:'1px solid gray'}} width="400"/>
227
-
1. Proceed with [adding the action node to the playbook](#add-an-action-node-to-a-playbook).
229
+
1. Proceed with the rest of the steps to [add an action node to a playbook](#add-an-action-node-to-a-playbook).
230
+
231
+
### Containment
232
+
233
+
Containment actions perform some sort of response or remediation action, such as:
234
+
* Block IPs
235
+
* Block email senders
236
+
* Block URLs
237
+
* Ban hash files
238
+
* Reset passwords and send an email with new passwords
239
+
* Delete attachments
240
+
* Disconnect devices from the network
241
+
242
+
Many [integrations](/docs/platform-services/automation-service/app-central/integrations/) offer containment actions. Here are just a few:
Custom actions perform an activity defined in a custom action YAML file. For an example of a custom action created for Cloud SIEM, see [Advanced example: Configure a custom integration](/docs/cse/automation/cloud-siem-automation-examples/#advanced-example-configure-a-custom-integration).
257
+
258
+
A few [integrations](/docs/platform-services/automation-service/app-central/integrations/) also offer actions labelled as custom types:
Scheduled actions run on a schedule once the playbook starts. For example, the action regularly checks a condition, and once the condition is met, the next playbook actions are executed.
294
+
295
+
Many [integrations](/docs/platform-services/automation-service/app-central/integrations/) offer scheduled actions. Here are just a few:
0 commit comments