circle-info
Welcome to the new Logpoint documentation portal! Can’t find what you’re looking for?
Logpoint Documentationarrow-up-right
search

Playbook Design

Before you start designing and setting up your first playbook, you need to decide what kind of playbook you want to create.

Do you need a playbook that addresses:

  1. Alerts Which alerts do you address most frequently? Generate an alert report of the last 3 months and select the most common.

  2. Use Case What is your most common of use case?

  3. Standard Workflows Which workflows do you have that could be automated? For example, provision new accounts, deprovision exiting employees, or scan and analyse vulnerabilities.

hashtag
Building your first playbook

When designing:

  • Sketch your playbook on a piece of paper

  • Map all the security products you intend to use

  • Obtain all credentials needed to integrate security products

  • Make sure that the network connection is open from SOAR to the security product

  • Start building the playbook in the SOAR UI and test it thoroughly as you go along

  • Design the playbook to be as simple as possible

  • Think of building block playbooks that you will be able to reuse

  • Follow incident response guidelines and frameworks

hashtag
Add a New Playbook

1. Go to Playbooks from the navigation bar.

2. Click + Create Playbook. On your playbook canvas, a Trigger and an End action block are automatically added.

3. Click the Configure icon of the Trigger block.

4. Enter a Name and Description.

5. Choose a Trigger Type for the playbook, if you choose:

5.1. Playbook or LogPoint SIEM Incident, enter or type the Input Parameters. Input Parameters correspond to Logpoint SIEM based data. These parameters are the data SOAR will retrieve and use from SIEM.

5.2. Schedule, provide a Time and the interval to Repeat.

6. Click Save Data.

7. In Save Playbook, give the playbook a name and select a Category.

8. Select optional Tags. Tags help you search and sort through your playbooks list.

9. Select the folder where you want your playbook saved. You can use an existing one or create a new one. Click Edit to select an existing path to a folder. If you want to create a new folder, turn on Save Playbook in a New Directory and enter the name.

10. Click Select.

11. Click Save.

12. Click Add Action. Find the action you want to add and drag-and-drop it onto the playbook canvas.To learn more about the different action types, go to Actions & Action Blocks.

Remember to connect your trigger to the next action block. Click and drag the connectors on the side of the action block.

13. Add as many actions as you need. Make sure you click Save Data every time you update an Action or make changes to your playbook.

14. Once you finalize the playbook, connect the final block with the End block.

15. After you create a playbook, it’s a good idea to test it. Click the Test Playbook button.

hashtag
Linking SIEM & SOAR

If you created a playbook based on a SIEM incident, you need to create the link between the SIEM incident and the SOAR playbook.

hashtag
Configuring a New Trigger to link SIEM and SOAR Automation

1. In the navigation bar, click Incidents

2. Find the incident in the list and click Incident Data. Copy the Alert Rule ID

3. Click Save.

4. Enter the SQL query, using the right database or source name and the incident Alert Rule ID.

5. Expand Trigger.

6. Add an optional Description.

7. In Source, type or enter the Logpoint data base name. You can find the name by going to Settings>SOAR Settings from the navigation bar and then clicking Sources.

8. Give the trigger a Name.

9. Click Create Trigger at the top right.

10. Click Triggers.

11. In the navigation bar, click Playbooks.

Last updated

Was this helpful?