Viewing playbook properties

Playbooks allow you to automate workflows and reduce the time it takes to process alerts and incidents.

To view a playbook, you must have one of the following roles: Main administrator, SOC administrator, Junior analyst, Tier 1 analyst, Tier 2 analyst, SOC manager, Approver, Observer, Tenant administrator.

To view a playbook's properties:

1. In the main menu, go to Monitoring & reporting → Playbooks.
2. In the list of playbooks, click the name of the playbook that you want to view.

   The Playbook details window opens.

3. Switch between tabs to get information about the playbook.

General

The General tab contains the following information about the playbook:

• Tenant. Name of the tenant to which the playbook belongs.
• Tags. Tags assigned to the playbook.
• Description. Playbook description.
• Scope. Playbook scope. Possible values: Alert or Incident.
• Created. Date and time the playbook was created.
• Modified. Date and time of the last edit of the playbook.
• Trigger. Description of alerts or incidents that trigger the playbook. The trigger is described by using jq expressions.
• Algorithm. Description of response actions that are launched during the playbook execution. The algorithm is described by using JSON.

You can edit the playbook's properties by clicking the Edit button.

History

The History tab contains a table that lists all playbooks or response actions launched within the playbook. On this tab, you can view response history and terminate the launched playbooks or response actions by clicking the Terminate button. You can also view response history from the Response history section or from alert or incident details.

You can group and filter the data in the table as follows:

• Click the settings icon (), and then select the columns to be displayed in the table.
• Click the filter icon (), and then specify and apply the filter criterion in the invoked menu.

  When you apply the filter criterion for the Action status column, the table displays the manually launched responses whose status contains the selected value and the playbooks that include response actions whose status contains the selected value. It means that only the response actions of the playbook that meet the filter criterion will be displayed.

The filtered table of devices is displayed.

The table contains the following columns:

• Actions. Response action name.
• Response parameters. Response action parameters that are specified in the playbook algorithm.
• Start. Date and time the playbook or response action was launched.
• End. Date and time the playbook or response action was completed.
• Alert ID or Incident ID. ID that contains a link to the alert or incident details.
• Launched by. Name of the user who launched the playbook or response action.
• Approver. Name of the user who approved the launch of the playbook or response action.

  By default, this column is hidden. To display the column, click the settings icon (), and then select the Approver column.

• Approval time. Date and time when the user confirmed or rejected the launch of the playbook or response action.

  By default, this column is hidden. To display the column, click the settings icon (), and then select the Approval time column.

• Action status. Execution status of the playbook or response action. The following values can be shown in this column:
  • Awaiting approval—Response action or playbook awaiting approval for launch.
  • In progress—Response action or playbook is in progress.
  • Success—Response action or playbook is completed without errors or warnings.
  • Warning—Response action or playbook is completed with warnings.
  • Error—Response action or playbook is completed with errors.
  • Terminated—Response action or playbook is completed because the user interrupted the execution.
  • Approval time expired—Response action or playbook is completed because the approval time for the launch has expired.
  • Rejected—Response action or playbook is completed because the user rejected the launch.
• Playbook status. Execution status of the playbook. The following values can be shown in this column:
  • Awaiting approval—Playbook awaiting approval for launch.
  • In progress—Playbook is in progress.
  • Success—Playbook is completed without errors or warnings.
  • Warning—Playbook is completed with warnings.
  • Error—Playbook is completed with errors.
  • Terminated—Playbook is completed because the user interrupted the execution.
  • Approval time expired—Playbook is completed because the approval time for the launch has expired.
  • Rejected—Playbook is completed because the user rejected the launch.

  You can click the Playbook status value or the Action status value to open the window with the result of the playbook or the response action launch. The Launch ID can be used by Technical Support. If the status is In progress, you can view the Launch ID by hovering the mouse cursor over the icon next to the status.

• Assets. Number of the assets for which the playbook or response action is launched. You can click the link with the number of the assets to view the asset details. The field is empty, if the playbook or response action does not involve assets.

Changelog

The Changelog tab contains the history of playbook editing, including time, author, and description.

Page top