Finish draft

Author: jpipkin1

docs/platform-services/automation-service/playbooks-in-app-central.md

@@ -8,28 +8,46 @@ description: Learn about the out-of-the-box playbooks available in App Central.
 import useBaseUrl from '@docusaurus/useBaseUrl';
 import SamplePlaybooks from '../../reuse/automation-service/sample-playbooks.md';
 
-Sumo Logic provides hundreds of out-of-the-box playbooks in the **Playbooks** tab of [App Central](/docs/platform-services/automation-service/automation-service-app-central/). A playbook is a predefined set of actions and conditional statements that run in an automated workflow to respond to a certain event or incident type. These out-of-the-box playbooks can handle many different situations, such as phishing attempts, brute force attacks, ransomware, and many others. 
+A playbook is a predefined set of actions and conditional statements that run in an automated workflow to respond to a certain event or incident type. Sumo Logic provides hundreds of out-of-the-box playbooks in the **Playbooks** tab of [App Central](/docs/platform-services/automation-service/automation-service-app-central/). These out-of-the-box playbooks can handle many different situations, such as phishing attempts, brute force attacks, ransomware, and many others.
 
-First look through the out-of-the-box playbooks to find ones that could help you. Once you're identified ones you'd like to use, install them. After installation, the [installed playbooks](/docs/platform-services/automation-service/playbooks/create-playbooks/#view-playbooks) appear in the Automation Service UI. Then configure the installed out-of-the-box playbooks to run actions in the integrations you have in your environment.
+The out-of-the-box playbooks are templates that you need to configure before they will work in your environment. Look through the playbooks to find ones that could help you. Once you're identified one you'd like to use, follow these steps:
+1. [Install the playbook](#install-an-out-of-the-box-playbook-from-app-central).
+1. [Configure the installed out-of-the-box playbook](#configure-an-out-of-the-box-playbook) to run actions in the integrations you have in your environment. 
+    :::note IMPORTANT
+    You must first [install integrations](/docs/platform-services/automation-service/automation-service-app-central/#install-an-integration-from-app-central) and [configure authentication for them](/docs/platform-services/automation-service/configure-authentication-for-integrations/) before you can configure playbooks to use the actions from those integrations. 
+    :::
 
-### Install an out-of-the-box playbook from App Central
+## Install an out-of-the-box playbook from App Central
 
 1. Use the **Search** bar in the upper right of the **Playbooks** tab to find playbooks.
 1. Click **Install** in the corner of the playbook box.
 1. Click **Next**.
 1. Click **Install** to install the playbook.
 1. Click **Close**. After installation is complete, **Installed** replaces the **Install** link in the corner of the playbook box.
-1. **IMPORTANT**: Click **Show More** in the playbook box to see if there are additional steps you need to follow to configure the installed playbook. Failure to perform these additional steps may result in the playbook not working properly.
+1. Click **Show More** in the playbook box to see if there are additional steps you need to follow to configure the installed playbook. Failure to perform these additional steps may result in the playbook not working properly.
 
 ## Configure an out-of-the-box playbook
 
 After you install an out-of-the-box playbook from App Central, it appears on the [**Playbooks**](/docs/platform-services/automation-service/playbooks/create-playbooks/#view-playbooks) list. Perform the following steps to configure the out-of-the-box playbook.
 
-1. Select the playbook from the list. In the example below, the *21 - DLP Alert* playbook is selected. <br/>All out-of-the-box playbooks are numbered. Notice the other two out-of-the-box playbooks in the list, *18 - DDoS* and *100 - Incident Enrichment and Ownership Management*. These are out-of-the-box playbooks.<br/><img src={useBaseUrl('img/platform-services/automation-service/example-out-of-the-box-playbook.png')} alt="Example out-of-the-box playbook" style={{border: '1px solid gray'}} width="700" />
+1. Select the playbook from the list. In the example below, the *21 - DLP Alert* playbook is selected. <br/><img src={useBaseUrl('img/platform-services/automation-service/example-out-of-the-box-playbook.png')} alt="Example out-of-the-box playbook" style={{border: '1px solid gray'}} width="700" />
 1. Click the edit button at the bottom of the screen.
-1. Hover your mouse over a node and click the edit button. The **Edit Node** dialog appears.
-1. Note the name of the node. It should tell you what action you need to connect to. In the following example, the node name is *IP reputation destination address with VirusTotal*. That tells us we need to use the *IP Reputation* action in the [VirusTotal integration](/docs/platform-services/automation-service/app-central/integrations/virustotal/).<br/><img src={useBaseUrl('img/platform-services/automation-service/example-out-of-the-box-playbook-2.png')} alt="Example out-of-the-box playbook node" style={{border: '1px solid gray'}} width="400" />
-
+1. Hover your mouse over a node and click the edit button that appears on the node. The **Edit Node** dialog appears.
+1. Note the **Node name**. It should tell you what action you need to connect to. In the following example, the node name is *IP reputation destination address with VirusTotal*. That tells us we need to connect to the *IP Reputation* action in the [VirusTotal integration](/docs/platform-services/automation-service/app-central/integrations/virustotal/) and use the *destination address*.<br/><img src={useBaseUrl('img/platform-services/automation-service/example-out-of-the-box-playbook-2.png')} alt="Example out-of-the-box playbook node" style={{border: '1px solid gray'}} width="400" />
+1. In the **Integration** field, select the integration. (In our example, select  **VirusTotal**.)
+    :::note IMPORTANT
+    You must have [already installed the integration](/docs/platform-services/automation-service/automation-service-app-central/#install-an-integration-from-app-central) and [configured its authentication](/docs/platform-services/automation-service/configure-authentication-for-integrations/) before you can use actions in the integration.
+    :::
+1. In the **Action** field, select the action. (In our example, select **IP Reputation**.)
+1. Fill out other fields as needed. Fields with asterisks are required. (In our example, in the **IP** field select **destinationAddress**).<br/><img src={useBaseUrl('img/platform-services/automation-service/example-out-of-the-box-playbook-3.png')} alt="Example out-of-the-box playbook node with integration and action selected" style={{border: '1px solid gray'}} width="400" />
+1. After you're done configuring the node, toggle **Test Mode** at the top of the dialog to [test the node](/docs/platform-services/automation-service/playbooks/troubleshoot-playbooks/#test-nodes-in-a-playbook).
+1. After you are sure the node works as expected, click **Save**.
+1. Continue configuring nodes until you have configured all the nodes in the playbook. 
+1. When done configuring nodes, [test the playbook](/docs/platform-services/automation-service/playbooks/troubleshoot-playbooks/#test-a-playbook) to make sure it works as expected.
+
+:::note ADVISORY
+The out-of-the-box playbooks are merely templates to guide you, and the integrations indicated in their node names may not exist in your environment. Edit the playbook to connect to integrations that you have installed and configured, and change the playbooks as needed.
+:::
 
 ## Playbooks in App Central