Skip to main content

Table of Contents

Below you'll find a table of contents for the Configure Playbooks journey.

 

110566iE97FC1D37F0A457A.png

SecOps SOAR playbooks are the foundation of automation and orchestration of security process. Playbooks are used to define triggering conditions, such as events, or event combinations, and the automated actions to take in response to those triggers. SOAR playbooks do not eliminate the need for SecOps teams. Instead they augment the teams by providing rapid automated action, and offloading repetitive tasks. Overall this provides faster security response while freeing analysts to focus on more pressing or complex tasks.

 

Prerequisites

  • Entitlement for SecOps SOAR on the account and project
  • Administrative permissions to Chronicle SOAR
  • Administrative Access for any 3rd party applications that will be integrated with Chronicle SOAR via the Marketplace

 

Actions

110567i178BE6BCA36AC4F3.png

Define Trigger

A trigger specifies the instance for which a playbook must be triggered in case of an alert detection.

Prerequisites

See the Relevant Links section for more documentation regarding the prerequisites.

  • Correct permissions to configure a playbook
Steps

  1. Create a new playbook.

  2. Select triggers from the Step Selection menu.

  3. Click Alert Type and drag it to the first step in the playbook.

  4. Double-click on it to open a new Alert Type dialog.

  5. Under Parameters, select either Equal, Contains, or Starts With from the menu.

  6. Select the required parameter from the menu. In this case, we have chosen an alert type based on any alert that contains phishing email detector. Once you specify the trigger parameter and save it, the parameter name appears in the description of the trigger.

  7. Click Save. The specified trigger parameter is saved and you return to the Playbooks page where you can define the next set of componenets (actions and flow) for the playbook.

Relevant Links

 

 

110568i71A6FEC99C4DFFCD.png

Define Actions

Actions are the next set of components that you can define for a playbook. Each action is categorized under an Integration in the system. They include tasks or actions to be performed by the playbook.

Prerequisites

See the Relevant Links section for more documentation regarding the prerequisites.

  • Proper permissions to configure a playbook
  • Integrations downloaded and configured from the Chronicle Marketplace
Steps

  1. In the Playbooks screen, click Open Step Selection.

  2. Search for and select the Action you wish to add and drag it into the Playbook at the appropriate interval between other steps.

  3. Double-click on the Action item.

  4. Fill out the required fields.

  5. Choose the Instance to use for this Playbook. Specify the instances the action will run on. | Docs

  6. Click Save.

Relevant Links

 

 

110569i3A5214440332FFB9.png

Define Flows

The Flow component determines the next steps of a playbook by forcing the flow into decisions. This is executed by utilizing a branching system.

Steps

  1. In the Playbooks screen, click Open Step Selection.

  2. Select the Flow section.

  3. Drag-and-Drop the Condition into the step or between two actions.

  4. Double-click on the Condition.

  5. Select the required Entities.

  6. Decide how many branches you want to create.

    1. Note: Each branch has an

      OR

      between them.

  7. Select the parameter(s) for each branch.

  8. Define a "fallback branch" to avoid a failed condition.

  9. Click Save.

Relevant Links

 

 

110570i5A2D4EBEA2DAF140.png

Test Playbook with Simulator

The Playbook simulator provides you with a revolutionary way to develop Playbooks in less time and with less effort. Allowing you to work in a pre-production environment where you can test your actions and play with the results without affecting production.

Prerequisites

See the Relevant Links section for more documentation regarding the prerequisites.

  • Access to Playbooks
  • Existing Cases for simulation
Steps

  1. In the Chronicle UI, choose the Playbooks tab.

  2. Click on a Playbook to open it in the editor.

  3. Turn on the Simulator Switch in the top right.

    1. You'll notice in the top center that there is a green notification that appears when the simulator is on.

    2. Additionally, there is a content window at the bottom which allows you to run the simulation against an existing case.

  4. Select an existing case and walk through your playbook to see how it would react to that case.

  5. The simulator will allow you to take a case and see exactly what would have happened for the playbook in question when that case occurred. This allows you to account for additional scenarios in your playbooks for future cases by testing in a pre-production environment.

Relevant Links

 

Be the first to reply!

Reply


Terms & ConditionsCookie settings
Privacy Policy Terms of Service Gen AI Policy Community Guidelines Cookie Settings

© 2025 Google. All rights reserved.