Create Playbook
Analysts can use the Playbook canvas to create Playbooks with no code or low code capabilities. Analysts can create Playbooks to build automated workflows in a step-by-step manner and using a drag-and-drop interface.
Before you Start
Ensure that your user group has permission to create Playbooks.
Ensure that you have identified the apps to use as part of the Playbook workflow.
If you need to use the existing playbooks, then ensure that you have identified the sub-playbooks to use as part of the Playbook workflow.
Steps
To create a playbook, follow these steps:
Go to Main Menu > Playbooks > Manage Playbooks.
In My Playbooks, click New Playbook.
Configure the Playbook Overview and specify the required details. For more information, see Playbook Overview.
In the canvas, build the Playbook by adding one or more of the following nodes:
Note
By default, the start node is added to the Playbook. For more information, see Start Node.
Pass the input and output data to the individual nodes. For more information, see Playbook Input and Output.
Connect the nodes and save the playbook using any one of the following options:
Save: Save changes made to a Playbook while keeping the Playbook canvas open.
Save as Version: Playbook version control helps analysts track and manage changes made to playbooks. Analysts can also roll back a playbook to a previously saved version. For more information on saving a playbook as a version, see Playbook Version Control.
Save and Exit: Save the Playbook and close the canvas.
Playbook is created with a unique ID. You can access the Playbook in Manage Playbooks > My Playbooks.
You can run the playbook directly to save the latest data and execute it automatically. Use one of the following options to run the playbook.
Run Playbook: Save changes and run the Playbook immediately. You can run the playbook to perform the automated tasks. For more information on executing playbooks, see Execute a Playbook.
Run with Input: Save the changes and run the playbook by providing input for playbook execution. This will open the Provide Input For Playbook Execution window when you can provide the following data as input for the playbook to run.
Manual Input: Select this option to provide JSON data as input for the playbook execution.
Event: Select this option to use event data as input for the playbook execution.
Playbook Run Logs: Select this option to use playbook run log data as input for the playbook execution.
Run with Previous Input: Save the changes and execute the playbook using the last input data provided for playbook execution.
We have created a step-by-step tutorial called My First Playbook - A Step-by-Step Tutorial to help you learn how to create a playbook.
Repeat Node Execution by Looping in Playbooks
Execute a node of a playbook in a loop to automate repetitive tasks and efficiently handle multiple data inputs in playbooks. This ensures that tasks are performed systematically on various inputs, such as lists of users, IP addresses, incidents, and more. You can achieve looping using the following ways:
Enable iteration over each item for a node: In an action node, go to Setup Input Data and enable the Iterate over each Item option to repeat the node execution over a list of input values. For example, this option executes the node for each entry in $LIST[john.doe@example.com, joe.doe@example.com, mark@example.com], enabling the node execution to loop through each entry.
Add a sub playbook: When you add a sub playbook to a playbook, you can enable the Iterate over each item option on the node connected to the sub playbook. For example, if you need to verify if IP addresses are malicious, add an action node to retrieve the IP addresses, and connect the action node to a sub-playbook containing the necessary nodes to check malicious activity. Ensure that you enable Iterate over each item for the action node.
Note
Linking nodes in a playbook to create loops is currently not supported.