circle-info
Welcome to the new Logpoint documentation portal! Can’t find what you’re looking for?
Logpoint Documentationarrow-up-right
search

Playbooks

A Playbook is or represents an automated process. It is made up of individual action blocks, each action block is a single step within the process. You can create your own playbook, or use one of Logpoint’s generic playbooks for specific use cases, like User Reported Phishing for example.

Before you start working with playbooks, it is important you check your system requirements. If you haven’t yet, learn how here.

hashtag
Types

There are three types of playbooks:

  1. Incident-triggered Playbook starts or is triggered when a specific SIEM-based Alert Rule generates an incident because the conditions of the rule match detected activity.

  2. Scheduled Playbook is setup to start automatically at a scheduled time.

  3. Manual A Logpoint user starts or triggers a playbook manually or a parent playbook uses the playbook as a sub-playbook as part of a broader process.

Incident-Triggered Playbook

Playbooks start or are triggered when a specific SIEM-based Alert Rule generates an incident because the conditions of the rule match detected activity. Because this type of playbook depends on a SIEM-based Alert Rule, and access to Alert Rules is controlled through User Groups, you first need to make sure that the users who will view or work with the playbook are part of the User Group that has permission to access the relevant Alert Rule.

To learn how to check and grant access to an Alert Rule, go to Step 20 in Creating an Alert Rule.

hashtag
Trigger

The Trigger is linked to a Logpoint Alert Rule, it is the Alert Rule that connects the SOAR playbook with the SIEM incident. When an Alert Rule generates an incident, it can also trigger the activation of a playbook at the same time.

hashtag
Playbook/Incident Trigger

Before you setup a playbook trigger, you need to have an Alert Rule setup first. SOAR has or lists all of your Alert Rules, so you simply select the one you want to use for the playbook you want to run. Remember to assign the relevant Alert Rule permission to the right user group before you start.

hashtag
Change Playbook Trigger

If you have an existing playbook setup the way you need, then you can change the trigger so the playbook can run on it.

Changing the Playbook Trigger

  1. In the navigation bar, click Playbooks.

  2. Find the relevant playbook in the list.

  3. In the Actions column, click the ellipsis and then Triggers.

  4. In Edit Triggers > Alert Rule, find the alert rule you want to use as the trigger.

  5. Click Save.

hashtag
Configure an Incident Trigger

circle-info

Configuring a trigger rather than using the ones setup in SOAR Automation requires SQL expertise. This is only for Logpoint SOAR super users or similar.

A trigger uses basic SQL to query the Logpoint database. When you add or setup your query, the fields you need to query are the incident’s alert rule ID or name.

Here are two examples:

SELECT * FROM LogPoint WHERE alertrule_id ='7697f1f68199cc99c9eb70e829e93f64'

SELECT * FROM LogPoint WHERE name ='Test_soar_trigger'

Before you can add a trigger you will need the Incident’s Alert Rule ID.

hashtag
Configuring a New Trigger to link SIEM and SOAR Automation

1. In the navigation bar, click Incidents.

2. Find the incident in the list and click Incident Data. Copy the Alert Rule ID.

3. Click Save.

4. Enter the SQL query, using the right database or source name and the incident Alert Rule ID.

5. Expand Trigger.

6. Add an optional Description.

7. In Source, type or enter the Logpoint data base name. You can find the name by going to Settings>SOAR Settings from the navigation bar and then clicking Sources.

8. Give the trigger a Name.

9. Click Create Trigger at the top right.

10. Click Triggers.

11. In the navigation bar, click Playbooks.

hashtag
Scheduled

Playbook is setup to start automatically at a scheduled interval. It runs when you want it to. It is not triggered by a SIEM-based alert or incident.

Setting up a Scheduled Playbook Run

  1. In the navigation bar, click Playbooks.

  2. Click Create Playbook at the top right.

  3. Click the settings icon at the bottom right.

  4. In Action Configuration give your trigger a name.

  5. In Trigger Type, select Schedule.

  6. Use Run Playbook to select the frequency or time frame.

  7. Click Save Data.}

hashtag
Manual

A Logpoint user starts or triggers a playbook manually or a parent playbook uses the playbook as a sub-playbook as part of a broader process. If the manual playbook is a sub-playbook, it will return the results to Parent Playbook. To do this, you need to configure the End action as “Playbook Results.”

Running a Playbook Manually}

  1. In the navigation bar, click Playbooks.

  2. Click Create Playbook at the top right.

  3. Click the settings icon at the bottom right.

  4. In Action Configuration give your trigger a name.

  5. Add a description so other SOAR users can easily understand what the trigger is.

  6. In Trigger Type, select Playbook.

  7. Add the input parameters. These are the parameters or values that come from the parent playbook that the sub-playbook will use to run or complete its task/workflow.

  8. Click Save Data.

arrow-up-right

Last updated

Was this helpful?