Work with Playbooks

After you select which playbooks to run, or which playbooks to setup there are different ways to work with your playbooks.

1. Monitoring Playbook Runtimes

2. Run-time Monitoring

3. Debugging Playbooks

4. System Backup Export

5. Execution Tracking

6. Get notified when an incident is triggered

Monitor Playbooks

Monitoring playbooks let’s you oversee and analyze automated workflows designed to address security incidents and their specific automated response. It involves tracking the parameters taken as input by each action block, the execution and status of each action block, performance metrics of the playbook, alerting, error handling, and continuous improvement of these pre-defined playbooks.

Playbook execution Status can be:

• Partially Succeeded

• Succeeded

• Failed

• Cancelled

• Skipped

• Paused

• Stopped

Monitoring Playbooks

1. On the Playbooks page, click the Monitoring button to go to the Playbooks Monitoring pag

You can filter the results based on the Playbook Name, Status of the execution, and date-range. You can also refresh the list by clicking Reload.

The Playbook Monitoring list includes the following fields for each executed playbook:

2. Playbook Name

3. Results of the executed playbook in the JSON format.

4. Runtime takes you to the playbook’s Runtime Mode where you can see the status of all the actions.

5. Re-Run

6. Source

7. Initiated By is the user who triggered the playbook.

8. Run As

9. Last Run time.

10. Status of the execution.

11. Progress of the execution in percentage.

12. Number of Total Actions in the playbook.

13. Number of Completed actions.

14. Start time

15. End time

16. Duration of the execution.

Run-time Monitoring

Use runtime monitoring to observe and analyze the execution of automated workflows during active incident response or through manual execution of a playbook. Runtime monitoring ensure that playbooks function correctly and efficiently in real-time.

It focuses on playbook execution metrics including Duration, Status, Progress, Total Actions.

Monitoring a Playbook During Run-Time

1. In Monitoring, find the relevant playbook under Playbook Name.

2. Click the Runtime icon next to the playbook.

The playbook canvas displays the executed playbook and all its actions. Each action in the playbook is marked with a specific color. What each color means, or what status it reflects, is listed in the legend at the bottom of the playbook canvas.

Clicking on the action block, you can find the details about the input parameters, output parameters, and the errors encountered by the Action block

You can also monitor a playbook’s sub-playbook.

3. Click Open Playbook in the relevant playbook action block

Debug Playbooks

Debug through analyzing and troubleshooting issues related to the configuration, functionality, or performance of playbooks before real-time execution. This includes testing and fine-tuning automated conditional logic and workflows, verifying custom scripts, decision trees, or API integrations. Debugging ensures that playbooks function the way they should during live incident response.

Debugging a playbook

1. To debug a playbook, click on a playbook and click on Debug

2. To debug a playbook’s sub-playbook, Click Open Playbook in the relevant playbook action block.

Execution Tracking

You can track all the internal stages of a playbook’s execution from Execution Tracking, from activation to completion.

There are three ways to track playbook execution:

Track Incidents from the SIEM tracks the execution of playbooks Logpoint-based incidents automatically generate.

Tracking Incidents from SIEM

1. Enter the incident ID and click Get Tracking Info

Track Manual Playbook Execution tracks manually triggered playbooks.

Tracking Manual Playbook Execution

Select a playbook from the list:

Pending Playbooks tracks all the pending playbooks waiting for execution or for user input. After tracking its status, you can terminate its run.

Tracking Pending Playbook Execution

Terminating Pending Playbook

Select the playbook and clicking Terminate Selected Playbooks.

Get notified when an incident is triggered

SOAR sends email alerts when an incident is trigerred in Logpoint. Modify the SMTP server settings like Sender E-mail Address, User Name and Password. The recipient addresses are added from the playbook email action. You will need to have the email recipients listed in a comma separated file.

Setting up e-mail notifications

1. Go to Settings >> SOAR Settings from the navigation bar and click E-Mail Configurations

2. In Sender E-mail Address, enter the email address through which the alerts are sent.

3. Enter the User Name of the sender.

4. Enter a Password.

5. Enter the SMTP Server Port you want to use for communication. It should be an integer value between 1 and 65536. Use either port 587 or 2525 if you are not sure which port to set here.

6. In SMTP Server Host, enter the email host you are using. E.g. Gmail, MailChimp, AOL.

7. Select Use SMTP TLS if you want the message sent to be encrypted.

8. Select Use SMTP Authentication if you need to show your server host that you have permission to send email through the mail server.

9. Click Save.

Adding Email Recipients with the Email Action

1. Enter an Action Name and its Description.

2. Enter a comma-separated list of Recipients, CC recipients, and BCC recipients.

3. Enter a Subject.

4. Enter the e-mail Body.

5. Enter a key-value separated list of Input Parameters.

6. Click Save Data.