Explore the Playbooks page

Supported in:

Google secops SOAR

A playbook is built on triggers, actions, and flows. When it's triggered, the playbook progresses through actions to reach a final resolution. The flow of control runs from left to right, beginning with a defined trigger (yellow box) as the first component, which is mandatory. It then moves to the second component that can be a set of defined actions the playbook must perform (blue box). The last component involves determining the flow of the playbook with an if-then-else condition (purple box).

Open the playbooks page

To open the Playbooks page, go to Response > Playbooks.

The following actions are available:

Plus : Add a new playbook or block. Select the folder and environment for the playbook or block. You can select one or multiple environments and environment groups, or a combination of both. Even if a playbook is associated with a specific environment group, the associated environment group's scope can still be changed and the playbook's scope automatically updates to match the new environment group scope.
Edit : Select single or multiple playbooks and blocks for use with the Actions menu. To edit the folder name, click Edit, and click and hold the pointer over the name, and then change the folder name. Hold the pointer over the name, click it, and enter the new name. Once you the edit a playbook, you can delete playbooks, as needed.
Filter : Click filter_alt Filter to filter the display based on the following criteria:
Playbook simulator is on toggle
Show Active Playbooks toggle
Priority: Set the attachment order of playbooks for the alert. Only one playbook attaches automatically, based on priority.
Environments (multi-select option for environments and environment groups)

Menu

: click edit Edit and select the required playbooks or blocks before using Menu to perform bulk actions:

New Folder: Add a new playbooks folder; the playbook automatically inherits any changes made to its associated environment groups. Playbooks associated with environment groups can be applied to cases originating from any environment within those groups.
Duplicate: Create a duplicate playbook with these options:
Keep or change priority
Keep in same folder or move to a different folder
Single, multiple, or all environments, where all indicates all defined environments, present or future.
Export and Import: Transfer playbooks and playbook blocks between staging and production servers. Playbooks are exported or imported with their customized views included. The system accepts only ZIP files for import.
Move to: Move playbooks and blocks to a different folder, or create a new folder.
Delete: Delete playbooks and blocks. After you click the Edit icon, you can delete playbooks.

Top section of Playbook Designer

The top section of the Playbook Designer pane features a horizontal toggle to enable or disable the playbook. It also displays a summary, including the playbook name, creator's name, creation timestamp, associated environment, and a brief description. You can also activate the simulator and add a customized view.

Using the Playbook Designer's features, you can do the following actions:

Icon	Description
	Open Step Selection: opens a side drawer with available Triggers, Actions, Flow, and Blocks.
	Fits to screen: automatically adjusts the playbook to fit entirely on the screen.
	Reverts the playbook to its default arrangement.
	Zoom: zooms in to one or multiple steps in the playbook.
	Download the playbook as a PNG file.
	Undo reverts any changes that you have made.
	Redo redoes any changes that you have previously undone.
	Playbook monitoring: displays the individual playbook statistics.
	Playbook Navigator: displays all playbook actions and flows.