Playbooks Overview

automation playbooks

In Automation, a playbook defines what actions to take and when to take them using one or more configured connections. This allows actions to be performed in your environment automatically based on your configuration. Playbooks are defined through playbook templates, some of which are provided by Secureworks, and some of which may be defined by your organization.

Example of a Completed Playbook

What Makes up a Playbook? ⫘

Playbooks are made up of a few essential components:

• Required Connections
• Trigger
• Inputs

Playbooks can be triggered by the XDR platform, by a user (as an action), or manually.

Required Connections ⫘

A typical playbook template contains one or more tasks, each of which calls upon a connector action. For that reason, most playbook templates require a connection to a connector that performs that action. When creating or configuring a playbook template, you must select a single connection for each connector that the template requires.

Trigger ⫘

A playbook by itself doesn’t provide any value until it is executed. Triggers within XDR are what typically cause the playbook to execute.

Trigger Type ⫘

There are two types of triggers currently supported by XDR:

• Platform — A trigger that occurs automatically when something happens in XDR
• User-initiated — A trigger that occurs when an end user selects an action

Source ⫘

All triggers contain a source. A trigger source defines the context within the XDR in which the trigger may be exposed to the end user. The trigger source also determines what data the playbook will receive as input.

Platform: Event ⫘

Platform triggers require the end user to define the event that will cause the playbook to execute. These events include create, update, and delete. This event applies within the source defined above. For example, a platform trigger with an alert2 source and a create event would cause the playbook to execute when an alert is created.

User-initiated: Category ⫘

Category defines the type of user-initiated trigger. The category is used to define where the user-initiated action appears within XDR. There are currently two supported values: Response Action and Lookup Contextual Information.

User-initiated: Name ⫘

The Name field on a user-initiated trigger allows the end user to define the name for the action within a menu in XDR.

Trigger Filter ⫘

The Trigger Filter field allows the end user to define custom criteria that must be true in order for the playbook to execute (if platform type) or for the action to appear (if user-initiated type). This field supports the Common Expression Language (CEL) as well as the inputs as defined by the source selected for the trigger. This field is not evaluated if the playbook is executed manually.

Inputs ⫘

Templates may require one or more inputs in order to configure the playbook to run as desired. Each template will contain documentation that describes the required inputs in more detail.

View Playbooks Overview ⫘

To view a summary of playbooks:

1. From the Secureworks® Taegis™ XDR side menu bar, select Automations > Playbooks.

2. The Playbooks overview is displayed.

The summary cards at the top of the Playbooks overview display the following counts:

• Total — The total number of playbook executions during the selected time period
• Completed — The number of playbook executions successfully completed during the selected time period
• Started — The number of playbooks executed during the selected time period currently in a Started state
• Failed — The number of playbook executions that failed during the selected time period
• Canceled — The number of playbook executions that were canceled during the selected time period

Use the date/time picker to change the displayed time period.

Playbook Summary Cards