You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: docs/platform-services/automation-service/playbooks/create-playbooks.md
+15-11Lines changed: 15 additions & 11 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -201,26 +201,30 @@ A filter node filters results from the preceding action based on the condition y
201
201
## Action types
202
202
203
203
Every integration contains actions you can perform to help with incident remediation, such as sending notifications, adding additional information (enrichment), containment, and so on. Following are the available action types:
204
-
***Containment**. Performs some sort of response or remediation action, such as resetting a user's password or blocking a domain on your firewall.
205
-
***Custom**. Performs an action defined in a custom action YAML file. For an example of a custom action created for Cloud SIEM, see [Advanced example: Configure a custom integration](/docs/cse/automation/cloud-siem-automation-examples/#advanced-example-configure-a-custom-integration).
206
-
***Enrichment**. Enriches data with additional information, such as adding information about a known malicious IP address.
207
-
***Notification**. Sends a notification, for example, an email or a post in a messaging service.
208
-
***Scheduled**. Runs an action on a schedule once the playbook starts. For example, the action regularly checks a condition, and once the condition is met, the next playbook actions are executed.
204
+
***Containment**. Performs some sort of response or remediation action, such as resetting a user's password or blocking a domain on your firewall.
205
+
***Custom**. Performs an action defined in a custom action YAML file. For an example of a custom action created for Cloud SIEM, see [Advanced example: Configure a custom integration](/docs/cse/automation/cloud-siem-automation-examples/#advanced-example-configure-a-custom-integration).
206
+
***Enrichment**. Enriches data with additional information, such as adding information about a known malicious IP address.
207
+
***Notification**. Sends a notification, for example, an email or a post in a messaging service.
208
+
***Scheduled**. Runs an action on a schedule once the playbook starts. For example, the action regularly checks a condition, and once the condition is met, the next playbook actions are executed.
209
209
210
-
211
-
If you take a look at the [Automation Integrations in App Central](/docs/platform-services/automation-service/app-central/integrations/), you'll see each has a list of available actions with the type of action listed for each. For example, here are some of the actions in the [Sumo Logic Cloud SIEM](/docs/platform-services/automation-service/app-central/integrations/sumo-logic-cloud-siem/) integration:
210
+
Every action in an integration is assigned an action type. If you take a look at the [Automation Integrations in App Central](/docs/platform-services/automation-service/app-central/integrations/), you'll see each has a list of available actions with the type of action listed for each. For example, here are some of the actions in the [Sumo Logic Cloud SIEM](/docs/platform-services/automation-service/app-central/integrations/sumo-logic-cloud-siem/) integration:
212
211
***Get Entity***(Enrichment)* - Get Entity details.
213
212
***Add Network Block***(Containment)* - Add an address into the Network Blocks.
214
213
***Add Comment To Insight***(Notification)* - Add a comment to an existing Insight.
215
214
***Check Insight Status Schedule***(Scheduled)* - Schedule action that periodically checks if the Insight is closed.
216
215
217
216
### Select the action type
218
217
219
-
When you [Add an action node to a playbook](/docs/platform-services/automation-service/playbooks/create-playbooks/#add-an-action-node-to-a-playbook), you select the type of action to perform from the integration.
220
-
221
-
The **Type** drop-down menu shows only the action types available in the selected integration. For example, for the Sumo Logic Cloud SIEM integration, the available action types are shown in the dropdown menu:<br/><img src={useBaseUrl('img/platform-services/automation-service/action-types-on-cloud-siem-integration.png')} alt="Action types on Sumo Logic Cloud SIEM integration" style={{border:'1px solid gray'}} width="500"/>
218
+
When you [Add an action node to a playbook](#add-an-action-node-to-a-playbook), you select the type of action to perform from the integration.
222
219
223
-
Then when you select the action type, the available actions of that type in the integration are listed:<br/><img src={useBaseUrl('img/platform-services/automation-service/enrichment-actions-on-cloud-siem.png')} alt="Enrichment actions on Sumo Logic Cloud SIEM integration" style={{border:'1px solid gray'}} width="500"/>
220
+
1. Either [create a new playbook](#create-a-new-playbook), or edit an existing playbook.
221
+
1. Hover your mouse over an existing node, such as the **Start** node, and click on the **+** button that appears.<br/><img src={useBaseUrl('img/cse/automations-start-node.png')} style={{border:'1px solid gray'}} alt="Start node" width="100"/><br/>
1. Select **Action**. The action node configuration screen displays.
224
+
1. In the **Integration** field, select the integration you want to use. In this example, we've selected the Sumo Logic Cloud SIEM integration:<br/><img src={useBaseUrl('img/platform-services/automation-service/sumo-logic-cloud-siem-integration-selected.png')} alt="Sumo Logic Cloud SIEM integration selected in the Add Node dialog" style={{border:'1px solid gray'}} width="400"/>
225
+
1. Click the **Type** field to select the type of action you want to perform. The drop-down menu shows only the action types available in the selected integration:<br/><img src={useBaseUrl('img/platform-services/automation-service/action-types-on-cloud-siem-integration.png')} alt="Action types on Sumo Logic Cloud SIEM integration" style={{border:'1px solid gray'}} width="400"/>
226
+
1. Click the **Action** field to select the action to run in the playbook. Only actions of that type in the integration are listed:<br/><img src={useBaseUrl('img/platform-services/automation-service/enrichment-actions-on-cloud-siem.png')} alt="Enrichment actions on Sumo Logic Cloud SIEM integration" style={{border:'1px solid gray'}} width="400"/>
227
+
1. Proceed with [adding the action node to the playbook](#add-an-action-node-to-a-playbook).
0 commit comments