Connect Apps to Playbooks
Playbooks are a well defined set of actions that are organized as a workflow to respond to an incident or a threat. You can build a Playbook by defining a series of steps called Nodes (Action, Condition, Input, Memory). In this article, we will explain how to connect an app to your Playbook using the Action node, which is referred to as the App Action node.
In an App action node, you can specify the app and the action you want to perform for the identified use case.
For example, to connect the app PhishTank to a Playbook to check if an URL is legit, analysts can add the app action node in the Playbook and select PhishTank as the app and Check URL reputation as the action.
Before you Start
Install the required apps from the Appstore, or create custom apps that fits your requirement.
Ensure that the apps are in an Active state.
Configure one or more required instances for the app.
Steps
To add apps inside Playbooks:
Sign in to Orchestrate, and go to Main Menu > Manage Playbooks.
Click New Playbook to create a new Playbook, or open an existing Playbook.
Click the Add Node icon.
Drag and drop the App Action Node.
Search and select the required app and action from the dropdown list. Follow this procedure to add any number of app nodes into your Playbook.
Enter the app parameters as follows:
Choose an App-Action here: Define the following:
(i) Instance: Choose one or more instances at which the action takes place. For example, Security Team.
(ii) Action retry counts: Configure the number of times the Playbook node attempts to execute a failed node. For example, 5.
(iii) Intervals: Configure the interval in seconds after which it attempts to re-execute a failed action. For example, 30.
Setup Input Data: Define the input data for the action to execute a defined task. For example, enter sample@sampledomain.com as an input to detect any phishing activity for the URL.
Setup Output Data: Confirm the following optional configurations:
(i) Save Output Node: Select this option to save the entire output data as JSON. The output data displays all the defined parameters.
(ii) Save Customized Results: Select this option to save filtered output results for an action node by defining specific parameters. Only filtered results can be used as input data for other nodes in the Playbook workflow.
Describe this Node: Enter a title and description. For example, enter PhishTank URL Reputation as the title and add This node uses PhishTank to detect potential phishing URLS as the description.
Note
It is recommended to add relevant descriptions for nodes as analysts use this for reference.
This way, you can add any number of apps inside your Playbook.
References