Playbook Menu

mccrilb · 01-15-2023 09:25 AM

I wanted to share this to see if anyone is interested in this. Or if someone else has done something along these lines?

We have pull-downs where the analysts can select the action that they want to take.

Marek_Kreul

This looks awesome!

We've had some folder structure to organize the playbooks for the content engineers, but were not able to make use of it for the analysts as this folder structure was simply not available to them.

How did you achieve the separation shown in the screenshot? Are new playbooks "automagically" showing up there, or would someone have to edit the action in the backend to include each new playbooks?

Thanks for sharing!

Marek

mccrilb

As part of onboarding (we are new to this SOAR), we requested a multi-prompt closing playbook for the analysts. When I saw how they did it, I took that code and modified it. Here is what I used for the playbooks.

from SiemplifyUtils import output_handler

from ScriptResult import EXECUTION_STATE_COMPLETED, EXECUTION_STATE_INPROGRESS, EXECUTION_STATE_FAILED

from TIPCommon import extract_configuration_param, extract_action_param, construct_csv, add_prefix_to_dict

from SiemplifyAction import *

import json

@output_handler

def main():

try:

siemplify = SiemplifyAction()

WorkStation=extract_action_param(siemplify, param_name="WorkStation Playbooks",is_mandatory=False,default_value=None)

Internal_IP=extract_action_param(siemplify, param_name="Internal IP Playbooks",is_mandatory=False,default_value=None)

External_IP=extract_action_param(siemplify, param_name="External IP Playbooks",is_mandatory=False,default_value=None)

URL=extract_action_param(siemplify, param_name="URL Playbooks",is_mandatory=False,default_value=None)

File=extract_action_param(siemplify, param_name="File Playbooks",is_mandatory=False,default_value=None)

Hash=extract_action_param(siemplify, param_name="Hash Playbooks",is_mandatory=False,default_value=None)

User=extract_action_param(siemplify, param_name="User Playbooks",is_mandatory=False,default_value=None)

Escalation=extract_action_param(siemplify, param_name="Escalation Playbooks",is_mandatory=False,default_value=None)

comment="WorkStation Playbooks: "+str(WorkStation)+"\n"+"Internal IP Playbooks: "+str(Internal_IP)+"\n"+"External IP Playbooks: "+str(External_IP)+"\n"+"URL Playbooks: "+str(URL)+"\n"+"File Playbooks: "+str(File)+"\n" +"Hash Playbooks: "+str(Hash)+"\n" +"User Playbooks: "+str(User)+"\n"+"Escalation Playbooks: "+str(Escalation)+"\n"

json_results=[{"WorkStation Playbooks":WorkStation,

"Internal IP Playbooks":Internal_IP,

"External IP Playbooks":External_IP,

"URL Playbooks":URL,

"File Playbooks":File,

"Hash Playbooks":Hash,

"User Playbooks":User,

"Escalation Playbooks":Escalation

}]

siemplify.result.add_result_json(json.dumps(json_results))

siemplify.add_comment(comment)

output_message = "Comment added to case:\n %s" % comment

status=EXECUTION_STATE_COMPLETED

siemplify.end(output_message, True,status)

except Exception as e:

status = EXECUTION_STATE_FAILED

output_message = "failed to add comment"

siemplify.end(output_message, False, status)

if __name__ == '__main__':

main()

mccrilb

this is what it looks like

mccrilb

the lists are just your playbooks. For example, this is the WorkStation Playbooks. (I need to rename to Hosts, IDK what I was thinking)

mccrilb

Then the Block launches this function, checks the output, executes the selected playbook, and relaunches the block.

mccrilb

The only way out is to Close the case or Escalate to IR or Content Engineering. Which have their own menus.