Playbook Menu
Brad McCrillis
Member
I wanted to share this to see if anyone is interested in this. Or if someone else has done something along these lines?
We have pull-downs where the analysts can select the action that they want to take.
Tagged:
0
Comments
This looks awesome!
We've had some folder structure to organize the playbooks for the content engineers, but were not able to make use of it for the analysts as this folder structure was simply not available to them.
How did you achieve the separation shown in the screenshot? Are new playbooks "automagically" showing up there, or would someone have to edit the action in the backend to include each new playbooks?
Thanks for sharing!
Marek
As part of onboarding (we are new to this SOAR), we requested a multi-prompt closing playbook for the analysts. When I saw how they did it, I took that code and modified it. Here is what I used for the playbooks.
from SiemplifyUtils import output_handler
from ScriptResult import EXECUTION_STATE_COMPLETED, EXECUTION_STATE_INPROGRESS, EXECUTION_STATE_FAILED
from TIPCommon import extract_configuration_param, extract_action_param, construct_csv, add_prefix_to_dict
from SiemplifyAction import *
import json
@output_handler
def main():
try:
siemplify = SiemplifyAction()
WorkStation=extract_action_param(siemplify, param_name="WorkStation Playbooks",is_mandatory=False,default_value=None)
Internal_IP=extract_action_param(siemplify, param_name="Internal IP Playbooks",is_mandatory=False,default_value=None)
External_IP=extract_action_param(siemplify, param_name="External IP Playbooks",is_mandatory=False,default_value=None)
URL=extract_action_param(siemplify, param_name="URL Playbooks",is_mandatory=False,default_value=None)
File=extract_action_param(siemplify, param_name="File Playbooks",is_mandatory=False,default_value=None)
Hash=extract_action_param(siemplify, param_name="Hash Playbooks",is_mandatory=False,default_value=None)
User=extract_action_param(siemplify, param_name="User Playbooks",is_mandatory=False,default_value=None)
Escalation=extract_action_param(siemplify, param_name="Escalation Playbooks",is_mandatory=False,default_value=None)
comment="WorkStation Playbooks: "+str(WorkStation)+"\n"+"Internal IP Playbooks: "+str(Internal_IP)+"\n"+"External IP Playbooks: "+str(External_IP)+"\n"+"URL Playbooks: "+str(URL)+"\n"+"File Playbooks: "+str(File)+"\n" +"Hash Playbooks: "+str(Hash)+"\n" +"User Playbooks: "+str(User)+"\n"+"Escalation Playbooks: "+str(Escalation)+"\n"
json_results=[{"WorkStation Playbooks":WorkStation,
"Internal IP Playbooks":Internal_IP,
"External IP Playbooks":External_IP,
"URL Playbooks":URL,
"File Playbooks":File,
"Hash Playbooks":Hash,
"User Playbooks":User,
"Escalation Playbooks":Escalation
}]
siemplify.result.add_result_json(json.dumps(json_results))
siemplify.add_comment(comment)
output_message = "Comment added to case:\n %s" % comment
status=EXECUTION_STATE_COMPLETED
siemplify.end(output_message, True,status)
except Exception as e:
status = EXECUTION_STATE_FAILED
output_message = "failed to add comment"
siemplify.end(output_message, False, status)
if __name__ == '__main__':
main()
this is what it looks like
the lists are just your playbooks. For example, this is the WorkStation Playbooks. (I need to rename to Hosts, IDK what I was thinking)
Then the Block launches this function, checks the output, executes the selected playbook, and relaunches the block.
The only way out is to Close the case or Escalate to IR or Content Engineering. Which have their own menus.