Version:

Adding a Playbook

  1. Click Playbooks in the navigation bar.

  2. Click +Create Playbook.

  3. Click the Configure (configure) icon of the trigger block.

  4. Enter an Action Name and a Description.

  5. Select a Trigger Type.

    If you select Playbook or Logpoint SIEM Incident, enter a list of Input Parameters.

    If you select Schedule, select a Run Playbook time.

    • For At a Specific Time, select a Time and whether you want the playbook to repeat every Day or Week.

    • For Every X Hours, enter the Hours.

    • For Every X Minutes, enter the Minutes.

    _images/LP_SOAR_Playbooks_Add_TriggerConfiguration.png

    Configuring the Trigger

  6. Click Save Data.

  7. In Save Playbook, enter the Playbook Name, select the Category, enter the Tags, select the Path, enter the Description and click Save.

    _images/LP_SOAR_Playbooks_SavePlaybook.png

    Saving Playbook

  8. Click + Add Action.

    _images/LP_SOAR_Playbooks_AddAction.png

    Add Action Button

  9. Drag and drop a playbook action type.

    _images/LP_SOAR_Playbooks_ConfigureActionBlock.png

    Drag and Drop a Playbook Action Type

  10. Click the Configure (configure) icon of the block and enter the details. Go to Action Block Types to learn more.

  11. Click Save Data.

    Follow steps 8, 9, 10, and 11 to add multiple number of blocks.

    Warning

    Make sure you click Save Data every time you update the configurations of a block. Otherwise, the updated data may be lost.

  12. Connect a node from a block to a node of another block to connect two blocks.

  13. Once you finalize the playbook, connect the final block with the End block.

  14. Click Save.

    _images/LP_SOAR_Playbooks_Add_Save.png

    Saving the Playbook

Note

  • You can clone an action block by clicking the (clone) icon.

Snap to Grid

You can align an action block to the nearest grid line by enabling Snap to Grid.

SLA Support

Service Level Agreements (SLAs) are the predefined timeframes within which specific actions or responses must be completed. These agreements set the expected time for handling security incidents or tasks, ensuring that the playbook meets your standards for response times.

Editing playbook configurations allows you to enable SLA support and generate SLA reports. Enabling SLA support allows you to handle cases created based on the playbook within a time period defined in the SLA configuration.

For example, if you add the SLA Timer Value as 01:00:00, the case should be handled within one hour. If the first trigger % is 80%, then the selected playbook for the trigger % runs after 48 minutes. If the second trigger % is 100%, then the selected playbook for the second trigger runs after an hour.

To enable SLA support:

  1. Click Playbooks in the navigation bar.

  2. Click Add New Playbook +, and add and save the configuration.

    Or, select a playbook from the list in the Playbooks page.

  1. Click SLA.

    _images/LP_SOAR_Playbooks_Add_SLA.png

    SLA

  2. Enable Support SLA.

    _images/LP_SOAR_Playbooks_Add_EnableSupportSLA.png

    Enable Support SLA

  3. Select SLA Timer Value.

  4. Select a Playbook and enter its Trigger %. You can add another playbook and its trigger %.

    When the SLA time period defined in the SLA Timer Value reaches the trigger %, the selected playbook runs.

  5. Click Save.

Testing a Playbook

Once you create a playbook, you can test it by clicking Test Playbook.

_images/LP_SOAR_Playbooks_Add_Test.png

Test Playbook

Exporting a Playbook

You can also export the playbook by clicking Export Playbook.

_images/LP_SOAR_Playbooks_Add_Export.png

Export Playbook

Edit Playbook Configurations

You can modify and customize the settings and workflows of automated playbooks within a SOAR platform. But you can’t rename or change the name of existing playbooks.

  1. Click Playbooks in the navigation bar.

  2. Search for a playbook by filtering the list according to playbook Category or search for one by entering its Playbook Name.

  3. In the playbook, click Edit Configurations.

_images/editconfig.png

Editing Playbook Configurations

  1. Edit the Category, the Tags, the Path, the Description and the Global Parameters.

  2. Click Save.

_images/editplg.png

Saving Playbook Configurations

Playbook Versions

Every time a playbook is updated or saved, a different version of the playbook is created. You can give each playbook version a unique name, and also restore the previous version of playbook when needed.

You can view versions by clicking (version) icon.

_images/LP_SOAR_Playbooks_Version.png

View Playbook Versions

Restoring a Playbook Version

You can restore the previous version by selecting the playbook and clicking Restore.

_images/LP_SOAR_Playbooks_All_Version.png

Restoring Version

You can select Named Only to view only named versions and select All Versions to view all versions.

Helpful?

We are glad this guide helped.


Please don't include any personal information in your comment

Contact Support