Working with Playbook Blocks

Supported in:

Blocks are mini playbooks that users can create and reuse in other playbooks. The Blocks can implement workflows and logical decisions that might be useful in multiple playbooks. When you edit or change a Block, all playbooks using it will be affected which allows easy maintenance and playbooks improvement.
When Blocks are used within other playbooks, users can configure Input parameter fields into the Block to alter its inner flow of actions.
The Block can also return an Output value into the parent playbook to allow interaction and conditioning between the two.

Before you create these blocks, it's advisable to spend time initially to map out specific processes that you can easily reuse in parent playbooks, as well as giving thought to Input fields which can be configured per need.

The screenshot below provides an example of a reusable Playbook Block.

reusableblock

To add a new block:

  1. In the Playbook screen, click on the icon and choose the folder and the environment and click Create. We recommend that Admin users click All Environments as best practice.
  2. In the screen that opens, fill out the name of the new Playbook Block at the top of the screen. For this example, we will create a Block that handles all communication between the SOC and its clients.
  3. Let's start off by adding Input parameters. Double click on the Input box and then click on the icon to add the input name and value fields. You can add as many fields as you need. Enter the following for the name and default values in the fields and then, click Save:
  • Communication Type – Require Approval (where we have decided we will have two different communication types: Require Approval, Investigate)
  • Communication Method – Email
  • Additional Message – leave blank
    We will use these inputs to condition the flow of the Block.
    If we add values here, they will act as default values. Note that they can be changed for each and every block after you have inserted them into the parent playbook.
    resuableblock
  • Let's now add a Flow step which will direct the Playbook in a different direction according to which Input Type is entered.
    The types as we mentioned above are:
    Investigate
    Requires Approval
    Now let's put these into different branches. Use the placeholders to pick up the Input types. As you can see in the following screenshot, we have two branches and an Else branch. The default branch which would go with the default Input is branch 1.
    flowforblocks
  • The next stage would be to build action steps for each of the branches.
  • Let's start with branch 1 which is the Require Approval branch. In the Actions column, select Email > Send Email and fill in the required parameters. This step sends an email asking the user for approval for a security analyst to perform Remediation on their machine.
  • In the next step, select Flow > Condition and fill in the required parameters. This step asks if the customer approved or not.
  • In the Output step where the customer approved it, add the word Approved to be returned to the parent block.
  • In the Output step of the Else branch, where the customer responded negatively, add Not Approved in the Output box.
  • Let's move onto the second branch. In this sequence we are defining what would happen if the Input Communication Type is Investigate. In the Actions column, select Email > Send Email and fill in the required parameters. In the screenshot below, you can see that we added the placeholder for the Additional Message. Make sure that you actually write a message in the Input Additional Message field if you change the Type to Investigate.
  • In the next step, select Siemplify > Assign Case. Here we are going to put the responsibility for investigating the case over to the Customer to get his Tier 1 analyst to look at it.
  • In the next step, select Siemplify > Change Case Stage. This step presumes that we have received confirmation that the Customer is investigating and therefore we are changing the Case stage to Investigation.
  • In the next step, select Siemplify > Assign case. This step assumes that the customer has finished investigation and has asked the SOC to reclaim ownership of the case.
  • In the next step, select Siemplify > Change Case Stage. This step now changes the case stage from Investigation to Assessment so that the SOC can carry on with his handling the case.
  • In the Output step, add the word Investigation Completed to be returned to the parent playbook.

This block can now be inserted into various Playbooks.

To insert an existing block:

  1. In the Playbooks screen, click Add Step.
  2. In the Step Selection box, select the Blocks section.
  3. Drag the required block into the middle of the Playbook. 

Need more help? Get answers from Community members and Google SecOps professionals.