Work with playbook Blocks
Blocks are mini playbooks that users can create and reuse in other playbooks.
The Blocks can implement workflows and logical decisions that might be reusable
across multiple playbooks. When you edit or change a Block, all playbooks
using it are affected, facilitating efficient maintenance and improvements.
You can configure input parameter fields in Blocks to adjust their internal
flow of actions when using them in other playbooks. Blocks can also return
output values to the parent playbook, allowing for interaction and conditional
logic.
Before you create these Blocks, it's advisable to stake time to map out specific processes you can reuse in parent playbooks and consider the input fields that you can configure, as needed.
To add a new Block, do the following:
- In the Playbook screen, click Add and choose the folder and environment, and then click Create. We recommend that Admin users click All Environments.
-
Enter the name of the new playbook Block.
This example creates a Block that manages communication between the SOC and
its clients.
- Add input parameters, as follows:
- Select Input.
- Click Add to add the input name and value fields. You can add as many fields as you need.
- Enter the following details and click Save.
- Communication Type – Require Approval (where we have decided we will have two different communication types: Require Approval and Investigate).
- Communication Method – Email
-
Additional Message – leave blank
use these inputs to condition the flow of the Block.
If you add values here, they will act as default values. When you add values here, you set them as default, but you can modify them for each Block after inserting them into the parent playbook. -
Add a flow step to direct the playbook in a
different direction according to which Input Type is entered.
The types are:
- Investigate
- Requires Approval
Put these into different branches. Use the placeholders to pick up the Input types. There are two branches and an Else branch. The default branch which would go with the default Input is branch 1. - The next stage would be to build action steps for each of the branches.
- Organize these into different branches. Use placeholders to identify the input types. Start with the Require Approval branch (branch 1). In the Actions column, select Email > Send Email and fill in the required parameters. This step sends an email requesting user approval for a security analyst to remediate their machine.
- Select Flow > Condition and fill in the required parameters to confirm whether it's customer approved or not.
- In the Output step, add the word Approved to be returned to the parent Block.
-
In the Output step of the Else branch, where the customer responded
negatively, add Not Approved in the Output box.
-
On the second branch, define the actions for the Input Communication Type, Investigate.
In the Actions column, select Email > Send Email and fill in the required parameters. A placeholder is added for the additional message. If you change the Type to Investigate, enter a message in the Input Additional Message field.
-
Select Siemplify > Assign Case to assign the case to the
customer, directing their Tier 1 analyst to review it. Here we
are going to put the responsibility for investigating the case over to the
customer to get his Tier 1 analyst to look at it.
-
Select Siemplify > Change Case Stage. This step assumes
confirmation that the customer is investigating, so the Case stage is
changed to Investigation.
-
Select Siemplify > Assign case. This
step assumes that the customer has finished investigation and has asked the
SOC to reclaim ownership of the case.
-
Select Siemplify > Change Case Stage.
This step now changes the case stage from Investigation to Assessment so
that the SOC can carry on with his handling the case.
-
In the Output step, add the words Investigation Completed to be
returned to the parent playbook.
Add a flow step
This Block can now be inserted into various playbooks.
Insert an existing Block
To insert an existing Block, do the following
-
In the Playbooks screen, click Add Step.
-
In the Step Selection box, select the Blocks section.
- Drag the required Block into the middle of the playbook.
Need more help? Get answers from Community members and Google SecOps professionals.