Skip to main content
Solved

SOAR Playbook Customization

  • September 26, 2024
  • 6 replies
  • 227 views
GaurangPatel
Forum|alt.badge.img+4

Hi Guys,

I would like to know if the following customizations are possible in playbooks:

  1. Custom Code Execution: For example, is it possible to write Python code between two actions to convert the output of the first action into a different format for use in the second action?

  2. Use One Action’s Input Parameter Further in the Flow: My use case involves branching based on the input parameter from the first action. I am using the Siemplify "Change Stage" action with manual input, and further in the flow, I would like to make decisions based on the input selected for this action.  

  3. Capture Inputs: I need to gather some information from the user independently of any action, and then use that input in two or more actions.

Any feedback is appreciated.

@cmorris @f3rz 

Best answer by f3rz

Thanks, @f3rz , for the quick reply.

Yes, creating a new action is possible. However, after creating the integration, I will hand it over to the SOC analysts, who will create playbooks based on their use cases. They won’t have knowledge of how to create new integrations.

For the second question: from the documentation you shared, it states that you can select the required parameter. However, note that the drop-down will only show the script results from actions that are part of this playbook.

Previously, I created an playbook with Splunk SOAR, which provides the functionality mentioned above, independent of the integration. I wanted to check if Google SecOps SOAR has any native support for similar features.

Reference:

1. Custom Code Execution:https://docs.splunk.com/Documentation/SOAR/current/Playbook/CodeBlock

2. Capture Inputs:https://docs.splunk.com/Documentation/SOAR/current/Playbook/PromptBlock


1. You may explore the PowerUps we have. Some of them may transfer results from X to Y without requiring custom development. But if there's nothing for your usecase, there's no other choice rather than either request it as a Feature Request or make a custom action.

2. In flow you can use script results (json/text), selected parts of script results if this is JSON and also data from: cases, alerts, events, entity, environment and other parts of SOAR

 

Adding some screenshots for a context:

 

---
1. Custom code execution is not possible with a playbook. It will require creating an integration and action and then being added to a playbook. So, it will be a Feature Request.

2. Capture inputs is possible with setting action to manually and assign a user to it, and then user should do inputs based on action you selected to let playbook continue.

6 replies

f3rz
Staff
Forum|alt.badge.img+10
  • f3rz
  • Staff
  • September 26, 2024

Hi @GaurangPatel 

1. You can create your own integration and write a code using IDE feature and then use this code as actions in a playbook:
https://cloud.google.com/chronicle/docs/soar/respond/ide/using-the-ide

2. Flow might be enough for this, but if you looking for something way better e.g for dictionary to check against, it would be better to create a custom action that will do this decision and then make a flow that will do a choice based on a result from action
https://cloud.google.com/chronicle/docs/soar/respond/working-with-playbooks/using-flows-in-playbooks

3. You can assign some "manual" action within a playbook to a user and then user will need to input for a playbook to continue:
https://cloud.google.com/chronicle/docs/soar/respond/working-with-playbooks/using-actions-in-playbooks#assign-actions

GaurangPatel
Forum|alt.badge.img+4
  • GaurangPatelBronze 1
  • Author
  • Bronze 1
  • September 26, 2024

Thanks, @f3rz , for the quick reply.

Yes, creating a new action is possible. However, after creating the integration, I will hand it over to the SOC analysts, who will create playbooks based on their use cases. They won’t have knowledge of how to create new integrations.

For the second question: from the documentation you shared, it states that you can select the required parameter. However, note that the drop-down will only show the script results from actions that are part of this playbook.

Previously, I created an playbook with Splunk SOAR, which provides the functionality mentioned above, independent of the integration. I wanted to check if Google SecOps SOAR has any native support for similar features.

Reference:

1. Custom Code Execution:https://docs.splunk.com/Documentation/SOAR/current/Playbook/CodeBlock

2. Capture Inputs:https://docs.splunk.com/Documentation/SOAR/current/Playbook/PromptBlock

f3rz
Staff
Forum|alt.badge.img+10
  • f3rz
  • Staff
  • Answer
  • September 26, 2024

Thanks, @f3rz , for the quick reply.

Yes, creating a new action is possible. However, after creating the integration, I will hand it over to the SOC analysts, who will create playbooks based on their use cases. They won’t have knowledge of how to create new integrations.

For the second question: from the documentation you shared, it states that you can select the required parameter. However, note that the drop-down will only show the script results from actions that are part of this playbook.

Previously, I created an playbook with Splunk SOAR, which provides the functionality mentioned above, independent of the integration. I wanted to check if Google SecOps SOAR has any native support for similar features.

Reference:

1. Custom Code Execution:https://docs.splunk.com/Documentation/SOAR/current/Playbook/CodeBlock

2. Capture Inputs:https://docs.splunk.com/Documentation/SOAR/current/Playbook/PromptBlock


1. You may explore the PowerUps we have. Some of them may transfer results from X to Y without requiring custom development. But if there's nothing for your usecase, there's no other choice rather than either request it as a Feature Request or make a custom action.

2. In flow you can use script results (json/text), selected parts of script results if this is JSON and also data from: cases, alerts, events, entity, environment and other parts of SOAR

 

Adding some screenshots for a context:

 

---
1. Custom code execution is not possible with a playbook. It will require creating an integration and action and then being added to a playbook. So, it will be a Feature Request.

2. Capture inputs is possible with setting action to manually and assign a user to it, and then user should do inputs based on action you selected to let playbook continue.

    GaurangPatel
    Forum|alt.badge.img+4
    • GaurangPatelBronze 1
    • Author
    • Bronze 1
    • September 26, 2024

    Thanks, @f3rz.

    I almost got all the answers I needed, except for question two. I’m familiar with extracting data from cases, alerts, events, entities, environments, and other parts of SOAR. However, my question is: let’s say I’m adding some Root Cause in Action 1’s input parameter. Now, I want to use the same Root Cause in another action as well.

    While it seems possible to use the results from an earlier playbook action, the section in the screenshot you provided doesn’t seem to offer an option to use the input parameter from the first action directly in the second action. In other words, I want to reuse the same Root Cause in the input parameter of the second action.

    In the attached screenshots, you can see that I have provided the Root Cause for the first action. However, when I try to use the same Root Cause for Action 2, there is no option to do so. Only the result of the previous action can be used.

    f3rz
    Staff
    Forum|alt.badge.img+10
    • f3rz
    • Staff
    • September 26, 2024

    Thanks, @f3rz.

    I almost got all the answers I needed, except for question two. I’m familiar with extracting data from cases, alerts, events, entities, environments, and other parts of SOAR. However, my question is: let’s say I’m adding some Root Cause in Action 1’s input parameter. Now, I want to use the same Root Cause in another action as well.

    While it seems possible to use the results from an earlier playbook action, the section in the screenshot you provided doesn’t seem to offer an option to use the input parameter from the first action directly in the second action. In other words, I want to reuse the same Root Cause in the input parameter of the second action.

    In the attached screenshots, you can see that I have provided the Root Cause for the first action. However, when I try to use the same Root Cause for Action 2, there is no option to do so. Only the result of the previous action can be used.


    @GaurangPatel, it depends on how you add it, but overall, you may try to use these three approaches:

    1. Using Block inside your playbook with Input and Input can be used as a placeholder in the whole block
    2. Use Buffer action from Tools powerup to specify either JSON or Script result (plain text) and re-use it as action result in multiple actions. 
    https://cloud.google.com/chronicle/docs/soar/marketplace/power-ups/tools#buffer

    3. You may use multi-choice question from Flow with predefined answers

      GaurangPatel
      Forum|alt.badge.img+4
      • GaurangPatelBronze 1
      • Author
      • Bronze 1
      • September 26, 2024

      Let me check with Block and Buffer action.

      Thanks again @f3rz, It was really helpful. 

      Terms & ConditionsCookie settingsAccessibility statement
      Privacy Policy Terms of Service Gen AI Policy Community Guidelines Cookie Settings

      © 2025 Google. All rights reserved.