Blocks are mini playbooks that users can create and reuse in other playbooks.
The Blocks can implement workflows and logical decisions that might be reusable
across multiple playbooks. When you edit or change a Block, all playbooks
using it are affected, facilitating efficient maintenance and improvements.
You can configure input parameter fields in Blocks to adjust their internal
flow of actions when using them in other playbooks. Blocks can also return
output values to the parent playbook, allowing for interaction and conditional
logic.
Before you create these Blocks, it's advisable to stake time to map out
specific processes you can reuse in parent playbooks and consider the input
fields that you can configure, as needed.
To add a new Block, do the following:
In the Playbook screen, click
add
Add and choose the folder and environment, and then click Create.
We recommend that Admin users click All Environments.
Enter the name of the new playbook Block.
This example creates a Block that manages communication between the SOC and
its clients.
Add input parameters, as follows:
Select Input.
Click
add
Add to add the input name and value fields. You can add as many fields as you need.
Enter the following details and click Save.
Communication Type – Require Approval (where we have decided we will
have two different communication types: Require Approval and Investigate).
Communication Method – Email
Additional Message – leave blank use these inputs to
condition the flow of the Block. If you add values here, they will act as
default values. When you add values here, you set them as default, but you
can modify them for each Block after inserting them into the parent playbook.
Add a flow step
Add a flow step to direct the playbook in a
different direction according to which Input Type is entered.
The types are:
Investigate
Requires Approval
Put these into different branches. Use the placeholders to
pick up the Input types. There are
two branches and an Else branch. The default branch which would go with the
default Input is branch 1.
The next stage would be to build action steps for each of the branches.
Organize these into different branches. Use placeholders to identify the
input types. Start with the Require Approval branch (branch 1). In
the Actions column, select Email > Send Email and fill in
the required parameters. This step sends an email requesting user approval
for a security analyst to remediate their machine.
Select Flow > Condition and fill in the
required parameters to confirm whether it's customer approved or not.
In the Output step, add the word
Approved to be returned to the parent Block.
In the Output step of the Else branch, where the customer responded
negatively, add Not Approved in the Output box.
On the second branch, define the actions for the Input Communication Type, Investigate.
In the Actions column, select Email > Send Email and fill in the required parameters. A placeholder is added for the additional message. If you change the Type to Investigate, enter a message in the Input Additional Message field.
Select Siemplify > Assign Case to assign the case to the
customer, directing their Tier 1 analyst to review it. Here we
are going to put the responsibility for investigating the case over to the
customer to get his Tier 1 analyst to look at it.
Select Siemplify > Change Case Stage. This step assumes
confirmation that the customer is investigating, so the Case stage is
changed to Investigation.
Select Siemplify > Assign case. This
step assumes that the customer has finished investigation and has asked the
SOC to reclaim ownership of the case.
Select Siemplify > Change Case Stage.
This step now changes the case stage from Investigation to Assessment so
that the SOC can carry on with his handling the case.
In the Output step, add the words Investigation Completed to be
returned to the parent playbook.
This Block can now be inserted into various playbooks.
Insert an existing Block
To insert an existing Block, do the following
In the Playbooks screen, click Add Step.
In the Step Selection box, select the Blocks section.
Drag the required Block into the middle of the playbook.
[[["Easy to understand","easyToUnderstand","thumb-up"],["Solved my problem","solvedMyProblem","thumb-up"],["Other","otherUp","thumb-up"]],[["Hard to understand","hardToUnderstand","thumb-down"],["Incorrect information or sample code","incorrectInformationOrSampleCode","thumb-down"],["Missing the information/samples I need","missingTheInformationSamplesINeed","thumb-down"],["Other","otherDown","thumb-down"]],["Last updated 2025-08-29 UTC."],[[["\u003cp\u003ePlaybook Blocks are reusable mini-playbooks that can implement workflows and logical decisions, simplifying maintenance and improvements across multiple playbooks.\u003c/p\u003e\n"],["\u003cp\u003eWhen using a Block within a parent playbook, users can configure Input parameters to dynamically modify the Block's internal actions and flow.\u003c/p\u003e\n"],["\u003cp\u003eBlocks can return an Output value to the parent playbook, enabling interaction and conditional logic between the Block and its parent playbook.\u003c/p\u003e\n"],["\u003cp\u003eCreating a new Block involves defining Input parameters, establishing conditional branches based on input values, and configuring action steps for each branch.\u003c/p\u003e\n"],["\u003cp\u003eExisting Blocks can be easily integrated into new playbooks by dragging and dropping them from the Blocks section in the Step Selection box.\u003c/p\u003e\n"]]],[],null,["# Work with playbook Blocks\n=========================\n\nSupported in: \nGoogle secops [SOAR](/chronicle/docs/secops/google-secops-soar-toc) \n\nBlocks are mini playbooks that users can create and reuse in other playbooks.\nThe Blocks can implement workflows and logical decisions that might be reusable\nacross multiple playbooks. When you edit or change a Block, all playbooks\nusing it are affected, facilitating efficient maintenance and improvements. \n\nYou can configure input parameter fields in Blocks to adjust their internal\nflow of actions when using them in other playbooks. Blocks can also return\noutput values to the parent playbook, allowing for interaction and conditional\nlogic. \n\n\nBefore you create these Blocks, it's advisable to stake time to map out\nspecific processes you can reuse in parent playbooks and consider the input\nfields that you can configure, as needed.\n\nTo add a new Block, do the following:\n\n1. In the **Playbook** screen, click add **Add** and choose the folder and environment, and then click **Create** . We recommend that Admin users click **All Environments**.\n2. Enter the name of the new playbook Block. This example creates a Block that manages communication between the SOC and its clients. \n3. Add input parameters, as follows:\n 1. Select **Input**.\n 2. Click add **Add** to add the input name and value fields. You can add as many fields as you need.\n 3. Enter the following details and click **Save**.\n4. **Communication Type** -- Require Approval (where we have decided we will have two different communication types: **Require Approval** and **Investigate**).\n5. **Communication Method** -- Email\n6. **Additional Message** -- leave blank \n use these inputs to condition the flow of the Block. \n If you add values here, they will act as default values. When you add values here, you set them as default, but you can modify them for each Block after inserting them into the parent playbook.\n\n### Add a flow step\n\n7. Add a flow step to direct the playbook in a different direction according to which Input Type is entered. \n\n The types are: \n - *Investigate*\n - *Requires Approval*\n\n \u003cbr /\u003e\n\n Put these into different branches. Use the placeholders to pick up the Input types. There are two branches and an Else branch. The default branch which would go with the default Input is branch 1.\n8. The next stage would be to build action steps for each of the branches.\n9. Organize these into different branches. Use placeholders to identify the input types. Start with the *Require Approval* branch (branch 1). In the **Actions** column, select **Email \\\u003e Send Email** and fill in the required parameters. This step sends an email requesting user approval for a security analyst to remediate their machine.\n10. Select **Flow \\\u003e Condition** and fill in the required parameters to confirm whether it's customer approved or not.\n11. In the Output step, add the word *Approved* to be returned to the parent Block.\n12. In the Output step of the Else branch, where the customer responded negatively, add Not Approved in the Output box. \n13. On the second branch, define the actions for the Input Communication Type, **Investigate** . In the **Actions** column, select **Email \\\u003e Send Email** and fill in the required parameters. A placeholder is added for the additional message. If you change the **Type** to **Investigate** , enter a message in the **Input Additional Message** field. \n14. Select **Siemplify \\\u003e Assign Case** to assign the case to the customer, directing their Tier 1 analyst to review it. Here we are going to put the responsibility for investigating the case over to the customer to get his Tier 1 analyst to look at it. \n15. Select **Siemplify \\\u003e Change Case Stage** . This step assumes confirmation that the customer is investigating, so the Case stage is changed to **Investigation** . \n16. Select **Siemplify \\\u003e Assign case** . This step assumes that the customer has finished investigation and has asked the SOC to reclaim ownership of the case. \n17. Select **Siemplify \\\u003e Change Case Stage** . This step now changes the case stage from Investigation to Assessment so that the SOC can carry on with his handling the case. \n18. In the Output step, add the words *Investigation Completed* to be returned to the parent playbook. \n\n\nThis Block can now be inserted into various playbooks.\n\n### Insert an existing Block\n\n\nTo insert an existing Block, do the following\n\n1. In the **Playbooks** screen, click **Add Step** . \n2. In the **Step Selection** box, select the **Blocks** section. \n3. Drag the required Block into the middle of the playbook.\n\n**Need more help?** [Get answers from Community members and Google SecOps professionals.](https://security.googlecloudcommunity.com/google-security-operations-2)"]]
