Understanding playbook monitoring
The following places in the Google Security Operations platform can provide you with greater visibility into the playbooks execution:
- Playbook monitoring on the Playbooks page: The monitoring feature allows customers to use automation to its full capacity. This interface is displayed for each individual playbook.
- Playbook side drawer on the Cases page: The summary feature is to minimize the time that an analyst needs to get decisions when handling a case. This interface is displayed as a side drawer for each running playbook on the Cases page.
Playbook monitoring
The Playbook Monitoring side drawer is available for each playbook on the Playbooks page.
You can see the side drawer by clicking on the Playbook monitoring icon at the top right of the Playbooks page.
The Playbook Monitoring side drawer contains the following information:
- Runs: How many times the playbook or playbook block ran during the defined time period. Thousands will be represented by a K. Millions will be represented by an M. If a playbook block is added as part of a playbook to an existing alert, the block won't be counted here.
- Redundant: Number of times the playbook or playbook block didn't run in the predefined time period (because it exceeded the maximum number of playbooks (1) that can be automatically added to an alert). If the number is larger than 1 – this could be a good indication to tweak the playbook – maybe by using blocks or other logical steps.
- Closed alerts: Percentage of alerts that were closed by this playbook.
- Average run time: Average amount of time that this playbook took to run. This statistic can prove useful in identifying weak points in playbooks, such as manual actions and frequently-errored steps.
- Playbook runs status pie chart: Shows four options. Options are Finished Successfully, Failed, Waiting for User Action, or Terminated. This chart shows you playbook statuses according to the defined time period and is cumulative. Each option is clickable and will take you to a search results page displaying the cases that this playbook with the specific status was attached to.
- Playbook trends line chart: Shows completed runs, failed runs, terminated runs and a total of runs (both failed and successful). Hold the pointer over your mouse over each dot on the line to see a dialog showing more information. This chart can useful if a new playbook that you recently created is running as you've expected, or if an existing playbook that you recently improved was actually improved as you've expected or if more enhancements are needed in order to meet your expectations. For example, if you see that the playbook didn't run twenty times over the last month, you might then tweak the trigger logic to make the playbook more selective. You could then look at the Playbook trends line chart to check that the playbook ran successfully from that time onwards.
- Environments bar chart: Displays all the environments that this playbook ran in. Each section is clickable and will take you to a search results page.
Playbook summary
Navigate to the Cases page. Select a case, click an alert, then click the Playbooks tab. Click the hyperlinked playbook name on the left. The playbook summary side drawer opens. This shows the following information:
- Playbook name and status
- Time and length of playbook run
- Pending actions: If the playbook is waiting for the security engineer to do something, this will be displayed prominently at the top of the playbook summary. In addition, a push notification will be sent to the relevant user letting them know that the playbook is waiting for them.
- Integrations: list of integrations being used by this playbook. When clicking on an integration, the specific step will be marked in the playbook viewer so that the analyst can find the step that they wants to focus on.
- Playbook flow: each step that was run with its status and step result.
- Errors: any errors will be listed here. If an error caused the playbook to stop it will be highlighted at the top of the summary, but if it was skipped, it will be at the bottom. Each error is clickable and will direct you to the logs page. You can also choose to rerun the action or playbook from here.