})
+1. In [Step 4: Playbook](/docs/alerts/monitors/create-monitor/#step-4-playbook-optional), click the field under **Automated Playbooks** to select a [playbook in the Automation Service](/docs/platform-services/automation-service/playbooks/) to run when an alert is fired. }){kind=icon}
| Completed |
| }){kind=icon}
| Completed with errors |
-1. Click the playbook name to open the [playbook in the Automation Service](/docs/platform-services/automation-service/automation-service-playbooks/). })
+1. Click the playbook name to open the [playbook in the Automation Service](//docs/platform-services/automation-service/playbooks/). })
1. If you have an action marked as **Waiting Owner**, perform the steps needed to complete the **Action Task**. When done, click the appropriate button at the bottom of the **Waiting Owner** action box (**Approve**, **Approve & Close**, or **Reject**). The action completes, and the subsequent remaining actions in the playbook run.})
1. Address any other actions in the playbook that need attention. For example, click and open any failed actions to see why they failed and to determine what you need to do to get them to complete successfully.
@@ -136,7 +136,7 @@ Sample playbooks to attach to monitors include:
### Create playbooks for monitors
-To create a playbook so you can add it to a monitor, see [Create a new playbook](/docs/platform-services/automation-service/automation-service-playbooks/#create-a-new-playbook). As a best practice, whenever you want to create a new playbook, select an existing playbook to serve as the template for the new playbook and click the **Duplicate** button to copy it.
+To create a playbook so you can add it to a monitor, see [Create a new playbook](/docs/platform-services/automation-service/playbooks/create-playbooks/#create-a-new-playbook). As a best practice, whenever you want to create a new playbook, select an existing playbook to serve as the template for the new playbook and click the **Duplicate** button to copy it.
})
@@ -157,7 +157,7 @@ Some integrations that have useful actions for monitors include:
### Pass custom fields from a monitor to playbooks
-Results from an alert query are passed to a playbook through the [alert payload](/docs/platform-services/automation-service/automation-service-playbooks/#alert-payload). The variables from the payload can be used as inputs for different nodes in the playbook after they are defined as parameters in the start node.
+Results from an alert query are passed to a playbook through the [alert payload](/docs/platform-services/automation-service/playbooks/playbook-payloads/#alert-payload). The variables from the payload can be used as inputs for different nodes in the playbook after they are defined as parameters in the start node.
:::note
You must use [alert grouping](/docs/alerts/monitors/alert-grouping/) in the monitor configuration to pass fields from the query to the playbook.
@@ -167,12 +167,12 @@ You must use [alert grouping](/docs/alerts/monitors/alert-grouping/) in the moni
1. Click **Edit** on the Start Node.
1. Select **Alert** from the dropdown. })
-1. The parameters from the default [alert payload variables](/docs/platform-services/automation-service/automation-service-playbooks/#alert-payload) will be defined, along with some placeholders for custom fields that may be passed from the alert query. To reference a field passed from the alert query, use `customPlaceholderMap[].FIELDNAME`.
+1. The parameters from the default [alert payload variables](/docs/platform-services/automation-service/playbooks/playbook-payloads/#alert-payload-variables) will be defined, along with some placeholders for custom fields that may be passed from the alert query. To reference a field passed from the alert query, use `customPlaceholderMap[].FIELDNAME`.
#### Configure parameters from a JSON payload
1. Click **Edit** on the Start Node.
1. Select **Parse from Json** from the dropdown. })
-1. Copy the payload from a previously triggered automation. You can view the playbook payload of a previously triggered alert by following the steps [here](/docs/platform-services/automation-service/automation-service-playbooks/#alert-payload).
+1. Copy the payload from a previously triggered automation. You can view the playbook payload of a previously triggered alert by following the steps [here](/docs/platform-services/automation-service/playbooks/playbook-payloads/#view-an-alert-payload).
1. Paste the payload into the **Enter Json payload** text box and click **Parse**. The fields from the payload will be auto parsed to parameters. })
1. Add or remove parameters based on the playbook requirements and click **Update**. })
diff --git a/docs/cloud-soar/automation.md b/docs/cloud-soar/automation.md
index 1443c0a60a..39d81404e6 100644
--- a/docs/cloud-soar/automation.md
+++ b/docs/cloud-soar/automation.md
@@ -20,14 +20,14 @@ Because Cloud SOAR provides automation functionality to the [Automation Service]
* [Automation bridge](/docs/platform-services/automation-service/automation-service-bridge)
* [Integration framework](/docs/platform-services/automation-service/integration-framework/)
* [Audit logging](/docs/platform-services/automation-service/automation-service-audit-logging)
-* [Playbooks](/docs/platform-services/automation-service/automation-service-playbooks/). (For information specific to running playbooks in Cloud SOAR, see [Run playbooks in Cloud SOAR](#run-playbooks-in-cloud-soar) below.)
+* [Playbooks](/docs/platform-services/automation-service/playbooks/). (For information specific to running playbooks in Cloud SOAR, see [Run playbooks in Cloud SOAR](#run-playbooks-in-cloud-soar) below.)
The following sections describe automation features only used in Cloud SOAR.
## Run playbooks in Cloud SOAR
In Cloud SOAR, playbooks are run from [incidents](/docs/cloud-soar/incidents-triage/#incidents). To run playbooks in Cloud SOAR, perform the following steps:
-1. [Create a playbook](/docs/platform-services/automation-service/automation-service-playbooks/#create-a-new-playbook) to use in incident response. When you create the playbook, do the following:
+1. [Create a playbook](/docs/platform-services/automation-service/playbooks/create-playbooks/#create-a-new-playbook) to use in incident response. When you create the playbook, do the following:
1. Click the **Edit** icon on the **Start** node:})
})
})
1. When done, your automation rule should look something like this. Note that your automation rule should have the **Add to Triage** action in order to add events to triage.})
1. Create playbooks with the custom playbook type you created in step 1 above (for example, *Custom Triage*):
- 1. [Create a new playbook](/docs/platform-services/automation-service/automation-service-playbooks/#create-a-new-playbook).
+ 1. [Create a new playbook](/docs/platform-services/automation-service/playbooks/create-playbooks/#create-a-new-playbook).
1. In the **Type** field of the **New Playbook** dialog, select the custom playbook type you created earlier (for example, *Custom Triage*).
1. Configure the playbook to run actions on the triage event. For example, you could add actions from the [Triage Tools](/docs/platform-services/automation-service/app-central/integrations/triage-tools/) integration to do things like discard the triage event, grab or reassign the triage event, or convert the triage to an incident.
1. Enable the playbook.
diff --git a/docs/cloud-soar/introduction.md b/docs/cloud-soar/introduction.md
index 85d46187bd..7a22059a2a 100644
--- a/docs/cloud-soar/introduction.md
+++ b/docs/cloud-soar/introduction.md
@@ -400,7 +400,7 @@ In addition to settings, Cloud SOAR administrators have privileged access to the
Within Automation, you’ll see subsections for:
* [App Central](/docs/platform-services/automation-service/app-central/). A large out-of-the-box library of playbooks, integrations, and use cases for different threats to get you started with orchestrating and automating your SOC.
-* [Playbooks](/docs/platform-services/automation-service/automation-service-playbooks/). Allows you to create new playbooks and edit, delete, and manage existing ones.
+* [Playbooks](/docs/platform-services/automation-service/playbooks/). Allows you to create new playbooks and edit, delete, and manage existing ones.
* [Template](/docs/cloud-soar/automation/#incident-templates). Allows you to create new incident templates and edit, delete, and manage existing ones.
* [Integrations](/docs/platform-services/automation-service/automation-service-integrations/). Lets you connect third party tools through APIs.
* [Rules](/docs/cloud-soar/automation/#automation-rules). Lets you create new automation rules.
@@ -531,7 +531,7 @@ Let's walk through how to install and configure useful integrations through App
#### Playbooks
-Once you’ve identified a potential security incident, you can respond to it in Cloud SOAR by executing a playbook. Playbooks are automated, or partially automated, workflows that act based on information from an incident. The playbook can enrich data, contain threats, notify teams, and other actions with custom APIs. These actions help automatically orchestrate many parts of the investigation, containment, eradication, and recovery processes. For more information, see [Playbooks](/docs/platform-services/automation-service/automation-service-playbooks/).
+Once you’ve identified a potential security incident, you can respond to it in Cloud SOAR by executing a playbook. Playbooks are automated, or partially automated, workflows that act based on information from an incident. The playbook can enrich data, contain threats, notify teams, and other actions with custom APIs. These actions help automatically orchestrate many parts of the investigation, containment, eradication, and recovery processes. For more information, see [Playbooks](/docs/platform-services/automation-service/playbooks/).
Custom playbooks allow you to automate any task that uses a custom API. You can also use them to automate tasks that aren’t part of the hundreds of default playbooks included in Cloud SOAR.
diff --git a/docs/cloud-soar/menus.md b/docs/cloud-soar/menus.md
index ae98ccd74d..96c8b2ac46 100644
--- a/docs/cloud-soar/menus.md
+++ b/docs/cloud-soar/menus.md
@@ -38,7 +38,7 @@ Click **Automation** in the main Sumo Logic menu to open the sidebar menu.})
})
diff --git a/docs/cse/automation/automations-in-cloud-siem.md b/docs/cse/automation/automations-in-cloud-siem.md
index 33cc559dfe..54d36f445c 100644
--- a/docs/cse/automation/automations-in-cloud-siem.md
+++ b/docs/cse/automation/automations-in-cloud-siem.md
@@ -37,16 +37,16 @@ The first thing you need to do is decide what actions you want to use in your pl
Now that you have the names of the actions you want to use, you can add them to your playbook.
-1. [Create a new playbook](/docs/platform-services/automation-service/automation-service-playbooks#create-a-new-playbook). When you create a playbook, you can select the **Type** as **CSE** to indicate that the playbook will be used for a Cloud SIEM automation.
+1. [Create a new playbook](/docs/platform-services/automation-service/playbooks/create-playbooks/#create-a-new-playbook). When you create a playbook, you can select the **Type** as **CSE** to indicate that the playbook will be used for a Cloud SIEM automation.
1. Click **Add Node**.
-1. Choose [**Action**](/docs/platform-services/automation-service/automation-service-playbooks#add-an-action-node-to-a-playbook) as the type of node to add.
+1. Choose [**Action**](/docs/platform-services/automation-service/playbooks/create-playbooks/#add-an-action-node-to-a-playbook) as the type of node to add.
1. In the **Action** field, select the name an action you identified in Step 1.
1. As soon as you choose the action, the **Resource** field displays the name of the resource. Verify that the name of the resource matches what you noted in Step 1.
1. Fill out the rest of the fields in the **Add Node** dialog to configure the action to behave the way you want.
1. Click **Create**. The node is added to the playbook.
1. Repeat to add more actions to the playbook. If desired, add conditions.
1. Click **Save** to save your changes.
-1. To [test the playbook](/docs/platform-services/automation-service/automation-service-playbooks/#test-a-playbook), click the kebab button in the upper-right of the UI and select **Run Test**.
+1. To [test the playbook](/docs/platform-services/automation-service/playbooks/troubleshoot-playbooks/#test-a-playbook), click the kebab button in the upper-right of the UI and select **Run Test**.
1. When you're ready to let the playbook be used in automations, click **Publish**.
### Step 3: Add the playbook to an automation
@@ -213,7 +213,7 @@ Though you can create your own playbooks, the Automation Service provides the fo
To continue getting the same behavior found in the legacy actions and enrichments, in addition to using installed playbooks, you can add the corresponding new actions to playbooks you create.
-For directions to add an action to a playbook, see [Add an action node to a playbook](/docs/platform-services/automation-service/automation-service-playbooks/#add-an-action-node-to-a-playbook). For examples, see [Cloud SIEM Automation Examples](/docs/cse/automation/cloud-siem-automation-examples/).
+For directions to add an action to a playbook, see [Add an action node to a playbook](/docs/platform-services/automation-service/playbooks/create-playbooks/#add-an-action-node-to-a-playbook). For examples, see [Cloud SIEM Automation Examples](/docs/cse/automation/cloud-siem-automation-examples/).
#### Legacy actions
diff --git a/docs/cse/automation/cloud-siem-automation-examples.md b/docs/cse/automation/cloud-siem-automation-examples.md
index c22d5c65f6..89f39163b6 100644
--- a/docs/cse/automation/cloud-siem-automation-examples.md
+++ b/docs/cse/automation/cloud-siem-automation-examples.md
@@ -59,7 +59,7 @@ The following example shows how to add an enrichment to an insight using the “
1. Click and hold on the right semicircle of the new **Add Insight Enrichment** node and drag to the semicircle of the **END** node and release. The playbook is complete.
1. Save the playbook:
1. Click the **Save** button (floppy disk icon) at the bottom of the playbook view.
- 1. To [test the playbook](/docs/platform-services/automation-service/automation-service-playbooks/#test-a-playbook), click the kebab button in the upper-right of the UI and select **Run Test**.
+ 1. To [test the playbook](/docs/platform-services/automation-service/playbooks/troubleshoot-playbooks/#test-a-playbook), click the kebab button in the upper-right of the UI and select **Run Test**.
1. Click the **Publish** button (clipboard icon) at the bottom of the playbook view. The playbook should look like this:})
1. Create an automation in Cloud SIEM to run the playbook:
1. [**New UI**](/docs/get-started/sumo-logic-ui). In the main Sumo Logic menu select **Cloud SIEM**, and then under **Cloud SIEM Integrations** select **Automation**. You can also click the **Go To...** menu at the top of the screen and select **Automation**. })
1. Create an automation in Cloud SIEM to run the playbook:
1. [**New UI**](/docs/get-started/sumo-logic-ui). In the main Sumo Logic menu select **Cloud SIEM**, and then under **Cloud SIEM Integrations** select **Automation**. })
1. Create an automation in Cloud SIEM to run the playbook:
1. [**New UI**](/docs/get-started/sumo-logic-ui). In the main Sumo Logic menu select **Cloud SIEM**, and then under **Cloud SIEM Integrations** select **Automation**. })
1. Create an automation in Cloud SIEM to run the playbook:
1. [**New UI**](/docs/get-started/sumo-logic-ui). In the main Sumo Logic menu select **Cloud SIEM**, and then under **Cloud SIEM Integrations** select **Automation**.})
-* [**Playbook**](/docs/platform-services/automation-service/automation-service-playbooks). Shows playbooks, which are workflows you can run to perform automations. })
-* [**Integration**](/docs/platform-services/automation-service/automation-service-integrations.md). Lists integrations with Sumo Logic and third-party vendors that provide actions used in playbooks. })
-* [**Bridge**](/docs/platform-services/automation-service/automation-service-bridge.md). Shows connections between on-premises servers and the Sumo Logic cloud. A bridge allows you to create a custom integration in your own system and use it to for automation. })
+* [**Playbook**](/docs/platform-services/automation-service/playbooks/). Shows playbooks, which are workflows you can run to perform automations. })
+1. Select an integration to see the actions on the resource. You call these actions when you [add an action node to a playbook](/docs/platform-services/automation-service/playbooks/create-playbooks/#add-an-action-node-to-a-playbook).})
- If you choose a duplicated resource when you [add an acton node to a playbook](/docs/platform-services/automation-service/automation-service-playbooks/#add-an-action-node-to-a-playbook), the actions available will be the ones belonging to the duplicated resource. The following example shows selecting an action from a duplicated resource.})
+ If you choose a duplicated resource when you [add an acton node to a playbook](/docs/platform-services/automation-service/playbooks/create-playbooks/#add-an-action-node-to-a-playbook), the actions available will be the ones belonging to the duplicated resource. The following example shows selecting an action from a duplicated resource.})
-1. In the **Input** panel, enter variables to test the node. When you click **SAVE & RUN TEST**, results of the test appear in the **Output** panel.Ensure that you enter valid variables for the kind of inputs you need to test. Following are examples with different node types: - * **Action**
In the following example that uses input from insights, we provide an insight ID. The output shows the result of the action.
})
- * **Condition**In the following example that uses input from reputation vendors, we provide reputation scores. The output shows the result of the condition.
})
- * **User choice**In the following example that uses user input data, we provide an email address. The output provides the resulting user choice. Click the user choice options to test whether they work as expected.
})
- * **Task**In the following example that uses incident input data, we provide a mock template name. The output provides the resulting task. Click the task options to test whether they work as expected.
})
-1. Examine the results in the **Output** panel and take any action needed to troubleshoot node operation:
- * Click the information button }){kind=icon}
to see information on the test run:})
- * Click the **JSON details** button }){kind=icon}
to see the JSON output:})
-1. Continue testing the node and making changes as needed in the node's configuration. When done, click **Save**.
-1. Test each node in your playbook that has the **Test Node** button (action, condition, user choice, and task). In each node, enter variables in the **Input** panel and examine the results in the **Output** panel to ensure the node works correctly.
-
-After you're done testing individual nodes, test the entire playbook to ensure it runs end-to-end (see [Test a playbook](#test-a-playbook)).
-
-### Test a playbook
-
-You can test a playbook to verify that it works properly. The test results show the outcome as if the playbook actually ran.
-
-1. Select a playbook.
-1. Click the kebab button in the upper-right corner of the UI.
-1. Select **Run Test**. })
-1. In the **Test playbook** dialog, enter the requested information and click **Run**. })
-1. The results of the test are displayed in a new window labeled with the playbook name and **(RUN TEST)**. })
-1. Click the clock icon in the upper-right corner to see the testing history. Select **Latest actions** to see test results for all the actions on the playbook, or select items on the list to see results for individual actions. })
-
-## Playbook payloads
-
-When a playbook is run, a payload is passed from the initial object to the playbook (for example, from an alert, entity, or Insight). The variables in the payload can be assigned to parameters and used as inputs for different actions in the playbook.
-
-You select the initial object to use for the payload when you [create a playbook](#create-a-new-playbook). In the **Add one or more params as a playbook input** field, you select the kind of trigger that will execute the playbook: })
- * **Insight**. An [Insight](/docs/cse/get-started-with-cloud-siem/about-cse-insight-ui/) from an [automation in Cloud SIEM](/docs/cse/automation/automations-in-cloud-siem/).
- * **Entity**. An [entity](/docs/cse/records-signals-entities-insights/view-manage-entities/) from an [automation in Cloud SIEM](/docs/cse/automation/automations-in-cloud-siem/).
- * **Alert**. An [alert](/docs/alerts/) from an [automated playbook in a monitor](/docs/alerts/monitors/use-playbooks-with-monitors/).
- * **Parse from json**. A payload from a [parent playbook](/docs/platform-services/automation-service/automation-service-playbooks/#add-a-playbook-node-to-a-playbook). You can also select this option if you want to pass a custom payload from an alert.
- * Leave blank if the trigger will be a Cloud SOAR [incident or triage](/docs/cloud-soar/incidents-triage).
-
-:::note
-If you are using [nested playbook nodes](/docs/platform-services/automation-service/automation-service-playbooks/#add-a-playbook-node-to-a-playbook), then you will need to configure the parameters of the Start Node in the child playbook to include the outputs of the parent playbook that are passed to the child playbook. It is not recommended to use parameter arrays (for example, `signals[].id`) as the Start Node parameters for the child playbook; you should use a standard parameter names instead (for example, `signals.id`).
-:::
-
-Following are examples of payloads from different trigger types:
-* [Alert payload](#alert-payload)
-* [Entity payload](#entity-payload)
-* [Insight payload](#insight-payload)
-
-### Alert payload
-
-#### View an alert payload
-
-1. Access the [alert list](/docs/alerts/monitors/alert-response/#alert-list).
-1. Open an alert that uses a playbook.
-1. On the alert details page, click the **Playbooks** button to see [automated playbooks](/docs/alerts/monitors/use-playbooks-with-monitors/#view-automated-playbooks-for-an-alert) attached to the alert. })
-1. Click the playbook name. The playbook opens in the Automation Service.
-1. To view the playbook's payload, click **>** to the right of the playbook name. })
The alert payload appears.
})
-
-#### Alert payload variables
-
- The following variables are passed in the payload from an alert to a playbook.
-
-| Variable | Description |
-| :-- | :-- |
-|`​​Id`|The unique identifier for alert that triggered the playbook.|
-|`Name`|The name of the monitor.|
-|`Query`|The query used in the monitor.|
-|`QueryURL`|The URL to the logs or metrics query within Sumo Logic.|
-|`AlertName`|The name of the alert.|
-|`SourceURL`|The URL to the configuration or status page of the monitor in Sumo Logic.|
-|`AlertGroup`|The alert grouping that triggered the alert, including associated values for that field.|
-|`Description`|The description of the monitor.|
-|`MonitorType`|The type of alert, either `Logs` or `Metrics`.|
-|`ResultsJson`|JSON object containing the query results that triggered the alert.|
-|`TriggerTime`|The date and time the query triggered the alert.|
-|`TriggerType`|The status of the alert or recovery. Alert will have a status of `Normal`, `Critical`, `Warning`, or `Missing Data`. Recovery will have a status of `ResolvedCritical`, `ResolvedWarning`, or `ResolvedMissingData`.|
-|`TriggerValue`|The value that triggered the alert.|
-|`Notifications`|The details for the notifications configured in the monitor.|
-|`NumRawResults`|Number of results returned by the search.|
-|`DetectionMethod`|The type of detection method used to detect alerts. Values are based on static or outlier triggers and data type, either logs or metrics. The value will be `LogsStaticCondition`, `MetricsStaticCondition`, `LogsOutlierCondition`, `MetricsOutlierCondition`, `LogsMissingDataCondition`, or `MetricsMissingDataCondition`.|
-|`NumQueryResults`|The number of results the query returned.|
-|`SloDashboardURL`|The URL to the SLO dashboard.|
-|`TriggerQueryURL`|The URL to the log search for the query that triggered the alert.|
-|`AlertResponseURL`|The URL to the alert page for the corresponding alert ID.|
-|`TriggerCondition`|The condition that triggered the alert.|
-|`TriggerTimeRange`|The time range of the query that triggered the alert.|
-|`ResultsJsonParsed`|The parsed fields from `ResultsJson`.|
-|`AggregateResultsJson`|JSON object containing the query results that triggered the alert, along with aggregate values such as message count.|
-|`customPlaceholderMap`|The parsed fields from `ResultsJson` and the aggregate values returned from the query. The fields specific to the query that triggered the alert can be referenced by using `customPlaceholderMap`. For example, if the result of the query includes a field named `user_name`, this can be referenced by calling `customPlaceholderMap[].user_name`.|
-|`AggregateResultsJsonParsed`|The parsed fields from `AggregateResultsJson`.|
-
-#### Alert payload example
-
-```json
-{
- "Id": "00000000016CCCDD",
- "Name": "Amazon Guard Duty Brute Force",
- "Query": "_sourceCategory=Labs/AWS/GuardDuty_V3 | parse \"{\\\"key\\\":\\\"Owner\\\",\\\"value\\\":\\\"*\\\"}\" as owner_key | json field=_raw \"service.action.networkConnectionAction.remotePortDetails.portName\"as port_name | json field=_raw \"service.action.networkConnectionAction.remotePortDetails.port\" as port | json field=_raw \"service.action.networkConnectionAction.remoteIpDetails.ipAddressV4\" as ip_address | json field=_raw \"accountId\", \"region\", \"partition\", \"id\", \"arn\", \"type\",\"service.serviceName\",\"service.detectorId\",\"service.action\",\"severity\",\"title\",\"description\", \"vpcId\", \"subnetId\", \"groupId\" , \"tags\", \"groupName\", \"resource.instanceDetails.instanceId\" as account_id, region, partition, id, arn, type, service_name, detector_id, action, severity, title, description, vpcId, subnetId , securityGroupId, tags, securityGroupName, instanceid nodrop | where type matches \"*BruteForce*\" | count by instanceid, ip_address, port, port_name, owner_key",
- "QueryURL": "https://live.us2.sumologic.com/ui/index.html#/search/1IzrB2mrW6L7egF1GY3zwnqJW663xPamyh9oe1AcFBanRckiRpXQiuPU2hOngFWnHO9bOLhpZ1GnssHTKtQpcLPBAOBp8wwW9VerT83Fj77k6hXQqMl5lI3tqsPv5bMG",
- "AlertName": "Amazon GuardDuty Brute Force Finding",
- "SourceURL": "https://live.us2.sumologic.com/ui/#/alerts/unified-monitors/00000000000007A0?selectedRows=0000000000593B6D",
- "AlertGroup": "instanceid=i-F56tg45tty5gfgd45",
- "Description": "",
- "MonitorType": "Logs",
- "ResultsJson": "[{\"Count\":1,\"instanceid\":\"i-F56tg45tty5gfgd45\",\"ip_address\":\"78.24.180.93\",\"owner_key\":\"security@lxechip.com\",\"port\":\"22\",\"port_name\":\"SSH\"}]",
- "TriggerTime": "05/01/2024 02:08:46 PM CDT",
- "TriggerType": "Critical",
- "TriggerValue": 1,
- "Notifications": [
- {
- "notification": {
- "images": [],
- "subject": "Monitor Alert: {{TriggerType}} on {{AlertName}}",
- "actionId": -4194941809035894000,
- "jsonClass": "EmailAction",
- "ccRecipients": [],
- "templateName": "Default Unified Monitor Email With Alert Response Variables",
- "toRecipients": [
- "example@sumologic.com"
- ],
- "bccRecipients": [],
- "relatedContent": [],
- "emailBodyMessage": ""
- },
- "runForTriggerTypes": [
- "Critical"
- ]
- }
- ],
- "NumRawResults": "45",
- "DetectionMethod": "LogsStaticCondition",
- "NumQueryResults": "1",
- "SloDashboardURL": "",
- "TriggerQueryURL": "https://live.us2.sumologic.com/ui/index.html#/search/1IzrB2mrW6L7egF1GY3zwnqJW663xPamyh9oe1AcFBanRckiRpXQiuPU2hOngFWnHO9bOLhpZ1GnssHTKtQpcLPBAOBp8wwW9VerT83Fj77k6hXQqMl5lI3tqsPv5bMG",
- "AlertResponseURL": "https://live.us2.sumologic.com/ui/#/alert/00000000016CCCDD",
- "TriggerCondition": "ResultCount is Greater than 0.0 in the last 1440 minutes",
- "TriggerTimeRange": "04/30/2024 02:06:46 PM CDT to 05/01/2024 02:06:46 PM CDT",
- "ResultsJsonParsed": [
- {
- "port": "22",
- "Count": 1,
- "owner_key": "security@example.com",
- "port_name": "SSH",
- "instanceid": "i-F56tg45tty5gfgd45",
- "ip_address": "78.24.180.93"
- }
- ],
- "AggregateResultsJson": "[{\"Count\":1,\"instanceid\":\"i-F56tg45tty5gfgd45\",\"ip_address\":\"78.24.180.93\",\"owner_key\":\"security@lxechip.com\",\"port\":\"22\",\"port_name\":\"SSH\"}]",
- "customPlaceholderMap": [
- {
- "port": "22",
- "Count": "1",
- "_count": "1",
- "owner_key": "security@example.com",
- "port_name": "SSH",
- "instanceid": "i-F56tg45tty5gfgd45",
- "ip_address": "78.24.180.93"
- }
- ],
- "AggregateResultsJsonParsed": [
- {
- "port": "22",
- "Count": 1,
- "owner_key": "security@example.com",
- "port_name": "SSH",
- "instanceid": "i-F56tg45tty5gfgd45",
- "ip_address": "78.24.180.93"
- }
- ]
-}
-```
-
-### Entity payload
-
-#### View an entity payload
-
-1. Open an [entity](/docs/cse/records-signals-entities-insights/view-manage-entities/) that uses playbooks (that is, that has [automations](/docs/cse/automation/automations-in-cloud-siem)).
-1. Click the **Automations** button at the top of the entity details page to view the automations on the entity. })
-1. Click **View Playbook** on an automation. The automation's playbook opens in the Automation Service.
-1. To view the playbook's payload, click **>** to the right of the playbook name. })
The entity payload appears.
})
-
-#### Entity payload variables
-
-| Variable | Description |
-| :-- | :-- |
-| `​​Id` | The unique ID of the [entity](/docs/cse/records-signals-entities-insights/view-manage-entities) whose information is provided in the payload.|
-| ​`name` | The entity’s name. ​|
-| `tags`​ | [Tags](/docs/cse/records-signals-entities-insights/tags-insights-signals-entities-rules) attached to the entity.​ |
-| `value` | The value of the entity. |
-| `hostname` ​| The hostname of the entity (if the entity is an item that can have a hostname, such as a computer). ​|
-| `lastSeen` ​| When the entity was last seen in a record. ​|
-| `firstSeen` ​| When the entity was first seen in a record. ​|
-| `inventory` ​| The [inventory source](/docs/cse/administration/inventory-sources-and-data/) for the entity (if it originated in an inventory). ​|
-| `entityType` ​| The [type of entity](/docs/cse/records-signals-entities-insights/view-manage-entities/#about-entities). ​|
-| `macAddress` ​| The [medium access control (MAC) address](https://en.wikipedia.org/wiki/MAC_address) assigned to the entity (if the entity is a piece of hardware). ​|
-| `reputation` ​| The reputation score for the entity. ​|
-| `sensorZone` ​| [Sensor zone](/docs/cse/administration/using-sensor-zones/) for the entity. ​|
-| `criticality` | The [criticality](/docs/cse/records-signals-entities-insights/entity-criticality/) of the entity. |
-| `isSuppressed` | Whether the [entity is suppressed](/docs/cse/records-signals-entities-insights/about-signal-suppression/#suppress-by-entity). |
-| `activityScore` | The entity’s [activity score](/docs/cse/get-started-with-cloud-siem/insight-generation-process/#understanding-entity-activity-scores). |
-| `recentSignalSeverity` | The most recent [severity](/docs/cse/get-started-with-cloud-siem/insight-generation-process/#about-insight-severity) of the signal that the entity appeared on. |
-
-#### Entity payload example
-
-```json
-{
- "id": "_ip-198.51.100.0",
- "name": "198.51.100.0",
- "tags": [],
- "value": "198.51.100.0",
- "hostname": null,
- "lastSeen": "2024-08-30T13:36:18",
- "firstSeen": null,
- "inventory": [],
- "entityType": "_ip",
- "macAddress": null,
- "reputation": null,
- "sensorZone": null,
- "criticality": null,
- "isSuppressed": false,
- "activityScore": 12,
- "recentSignalSeverity": 12
-}
-```
-
-### Insight payload
-
-#### View an Insight payload
-
-1. Open an [Insight](/docs/cse/get-started-with-cloud-siem/about-cse-insight-ui/) that uses playbooks (that is, that has [automations](/docs/cse/automation/automations-in-cloud-siem)).
-1. Click the **Automations** button at the top of the Insight details page to view the automations on the Insight. })
-1. Click **View Playbook** on an automation. The automation's playbook opens in the Automation Service.
-1. To view the playbook's payload, click **>** to the right of the playbook name. })
The Insight payload appears.
})
-
-#### Insight payload variables
-
-| Variable | Description |
-| :-- | :-- |
-| `​​id` | The unique ID of the [Insight](/docs/cse/get-started-with-cloud-siem/about-cse-insight-ui/#insight-details-page) whose information is provided in the payload.
-| `name` | The name of the Insight. |
-| `tags` | [Tags](/docs/cse/records-signals-entities-insights/tags-insights-signals-entities-rules) attached to the Insight. |
-| `orgId` | The ID of the Sumo Logic organization where the Insight originated. |
-| `closed` | Whether the Insight is closed. |
-| `entity` | The [entity](/docs/cse/records-signals-entities-insights/view-manage-entities) the Insight fired on. |
-| `source` | The source of the Insight data. |
-| `status` | The current status of the Insight. |
-| `created` | When the Insight was created. |
-| `signals` | The Signals in the Insight. |
-| `assignee` | The analyst assigned to the incident. |
-| `closedBy` | The analyst who closed the Insight (if it’s status is closed). |
-| `severity` | The [severity](/docs/cse/get-started-with-cloud-siem/insight-generation-process/#about-insight-severity) of the Insight. |
-| `timestamp` | The timestamp when the Insight fired. |
-| `assignedTo` | The analyst assigned to the incident. |
-| `confidence` | If sufficient data is available, a [Global Confidence score](/docs/cse/records-signals-entities-insights/global-intelligence-security-insights/) for the Insight is shown. |
-| `readableId` | The human-readable ID of the Insight. |
-| `resolution` | The [resolution](/docs/cse/administration/manage-custom-insight-resolutions/) of the Insight (if the Insight is resolved). |
-| `description` | A description of the Insight. |
-| `lastUpdated` | When the Insight was last updated. |
-| `lastUpdatedBy` | The analyst who last updated the Insight. |
-| `subResolution` | The [sub-resolution](/docs/cse/administration/manage-custom-insight-resolutions/) of the Insight (if the Insight is resolved and if a sub-resolution is applied). |
-| `teamAssignedto` | The team the Insight is assigned to. |
-| `timeToResponse` | The time it took to respond to the Insight. |
-| `timeToDetection` | The time it took to detect the Insight. |
-| `involvedEntities` | The entities involved in the Insight. |
-| `timeToRemediation` | The time it took to resolve the Insight. |
-
-#### Insight payload example
-
-```json
-{
- "id": "8e965194-f2da-36e0-839d-c2bacffca684",
- "name": "Unspecified Malicious Activity",
- "tags": [
- "custom-tag",
- "dataComponent:File",
- "foo",
- "MITRE_Expansion_C2",
- "testtag"
- ],
- "orgId": "0000000006ACDE44",
- "closed": null,
- "entity": {
- "id": "_ip-192.0.2.0",
- "name": "192.0.2.0",
- "value": "192.0.2.0",
- "hostname": null,
- "entityType": "_ip",
- "macAddress": null,
- "sensorZone": ""
- },
- "source": "ALGORITHM",
- "status": {
- "name": "new",
- "displayName": "New"
- },
- "created": "2024-09-05T20:25:59.673356",
- "signals": [
- {
- "id": "d02c5f27-5925-54a0-b0dd-0fee9ee2de2d",
- "name": "CrowdStrike Aggregation Rule test signal",
- "tags": [],
- "stage": "Unknown/Other",
- "entity": {
- "id": "_ip-192.0.2.0",
- "name": "192.0.2.0",
- "value": "192.0.2.0",
- "hostname": null,
- "entityType": "_ip",
- "macAddress": null,
- "sensorZone": ""
- },
- "ruleId": "AGGREGATION-U07128",
- "created": "2024-09-05T20:20:51.904000",
- "severity": 4,
- "artifacts": [],
- "timestamp": "2024-09-05T20:20:51.904000",
- "contentType": "RULE",
- "description": "test description",
- "recordCount": 1,
- "recordTypes": [],
- "recordSearchDetails": {
- "query": "_index=sec_record_* | where (if (isNull(metadata_vendor), true, metadata_vendor != \"CrowdStrike\") and if (isNull(objectType), true, objectType != \"email\") and if (isNull(srcDevice_ip), false, srcDevice_ip == \"192.0.2.0\"))",
- "queryEndTime": "2024-09-05T20:24:00",
- "queryStartTime": "2024-09-05T19:24:00"
- }
- },
- {
- "id": "34b173fe-792b-55b0-8723-808ded9547ce",
- "name": "Exclude CrowdStrike and Email Chain Rule",
- "tags": [
- "custom-tag",
- "foo",
- "testtag"
- ],
- "stage": "Unknown/Other",
- "entity": {
- "id": "_ip-192.0.2.0",
- "name": "192.0.2.0",
- "value": "192.0.2.0",
- "hostname": null,
- "entityType": "_ip",
- "macAddress": null,
- "sensorZone": ""
- },
- "ruleId": "CHAIN-U07162",
- "created": "2024-09-05T20:20:51.904000",
- "severity": 4,
- "artifacts": [],
- "timestamp": "2024-09-05T20:20:51.904000",
- "contentType": "RULE",
- "description": "chain rule test description",
- "recordCount": 1,
- "recordTypes": [],
- "recordSearchDetails": {
- "query": "_index=sec_record_* | where ((if (isNull(metadata_vendor), true, metadata_vendor != \"CrowdStrike\") or if (isNull(objectType), true, objectType != \"email\")) and if (isNull(srcDevice_ip), false, srcDevice_ip == \"192.0.2.0\"))",
- "queryEndTime": "2024-09-05T20:24:00",
- "queryStartTime": "2024-09-05T19:24:00"
- }
- },
- {
- "id": "f7ee1ba7-fb69-51e3-8cbe-a7673e237dfe",
- "name": "CrowdStrike First Seen Rule test signal",
- "tags": [
- "testtag",
- "foo",
- "custom-tag"
- ],
- "stage": "Unknown/Other",
- "entity": {
- "id": "_ip-192.0.2.0",
- "name": "192.0.2.0",
- "value": "192.0.2.0",
- "hostname": null,
- "entityType": "_ip",
- "macAddress": null,
- "sensorZone": ""
- },
- "ruleId": "FIRST-U00161",
- "created": "2024-09-05T20:20:51.904000",
- "severity": 4,
- "artifacts": [],
- "timestamp": "2024-09-05T20:20:51.904000",
- "contentType": "ANOMALY",
- "description": "test description",
- "recordCount": 1,
- "recordTypes": [],
- "recordSearchDetails": null
- },
- {
- "id": "5f0db81c-c11a-5b13-b2e0-8a25de6ba376",
- "name": "Exclude CrowdStrike and Email Threshold Rule test",
- "tags": [
- "MITRE_Expansion_C2",
- "testtag",
- "dataComponent:File"
- ],
- "stage": "Unknown/Other",
- "entity": {
- "id": "_ip-192.0.2.0",
- "name": "192.0.2.0",
- "value": "192.0.2.0",
- "hostname": null,
- "entityType": "_ip",
- "macAddress": null,
- "sensorZone": ""
- },
- "ruleId": "THRESHOLD-U07169",
- "created": "2024-09-05T20:25:51.043000",
- "severity": 4,
- "artifacts": [],
- "timestamp": "2024-09-05T20:25:51.043000",
- "contentType": "RULE",
- "description": "Test Threshold rule",
- "recordCount": 1,
- "recordTypes": [],
- "recordSearchDetails": {
- "query": "_index=sec_record_* | where (if (isNull(metadata_vendor), true, metadata_vendor != \"CrowdStrike\") and if (isNull(objectType), true, objectType != \"email\") and if (isNull(srcDevice_ip), false, srcDevice_ip == \"192.0.2.0\"))",
- "queryEndTime": "2024-09-05T21:36:00",
- "queryStartTime": "2024-09-05T09:36:00"
- }
- }
- ],
- "assignee": null,
- "closedBy": null,
- "severity": "HIGH",
- "timestamp": "2024-09-05T20:25:51.043000",
- "assignedTo": null,
- "confidence": null,
- "readableId": "INSIGHT-637",
- "resolution": null,
- "description": "Unknown/Other",
- "lastUpdated": "2024-09-05T20:25:59.673351",
- "lastUpdatedBy": null,
- "subResolution": null,
- "teamAssignedTo": null,
- "timeToResponse": null,
- "timeToDetection": 307.769356,
- "involvedEntities": [
- {
- "id": "_ip-192.0.2.0",
- "name": "192.0.2.0",
- "value": "192.0.2.0",
- "hostname": null,
- "entityType": "_ip",
- "macAddress": null,
- "sensorZone": null
- },
- {
- "id": "_username-pete@tclab.us",
- "name": "pete@tclab.us",
- "value": "pete@tclab.us",
- "hostname": null,
- "entityType": "_username",
- "macAddress": null,
- "sensorZone": null
- },
- {
- "id": "_username-key--d2b90316--a1d3--492d--beb5--308184ab4973 (Sumo Logic API client (read only))",
- "name": "key-d2b90316-a1d3-492d-beb5-308184ab4973 (Sumo Logic API client (read only))",
- "value": "key-d2b90316-a1d3-492d-beb5-308184ab4973 (Sumo Logic API client (read only))",
- "hostname": null,
- "entityType": "_username",
- "macAddress": null,
- "sensorZone": null
- }
- ],
- "timeToRemediation": null
-}
-```
-
-## Handling arrays in playbooks
-
-An array is a collection of related data values grouped together. When you are handling output from a playbook action, you may want to treat the entire array as a single item you want to pass to the next action, or you may want to treat each element in the array as a separate item. In playbooks, you can do either.
-
-### Arrays in text areas
-
-When you create an action, sometimes you are presented with a text area that includes an "Insert placeholder" icon }){kind=icon}
. When you click the icon, it allows you to add placeholders to the text area for input or output.
-
-Perform the following steps to add a placeholder to a text area to handle an array in output from a previous action. This allows you to process an array as a single element or multiple elements.
-1. [Create a playbook](#create-a-new-playbook) and [add action nodes](#add-an-action-node-to-a-playbook).
-1. Edit an action node that displays a text area.
-1. In the following example, the **Send Email** action shows text areas for the email's subject, body, and HTML. Click an "Insert placeholder" icon for one of the fields, for example, **HTML Content**.})
-1. Select a value from a previous action. In this example, we'll choose **Get Insight**.})
-1. Select **Outputs**. Only the arrays in the output show these icons: }){kind=icon}
})
-1. Click the icon for how you want the array to be handled by the action:
- * }){kind=icon}
**Loop**. Loops through the array so that the action is run for each item in the array.
- * }){kind=icon}
**Combine**. Combines all items in the array into a single value run by the action.
-1. The variable is inserted into the text area preceded by the icon for whether the contents of the array are looped or combined.})
-
-In this example, the action will be run for each item in the array ("looped").
-
-:::note
-The [**Cartesian Product**](#cartesian-product) checkbox is disabled if any variable is selected using the loop feature in the text area.
-})
-:::
-
-### Cartesian product
-
-The **Cartesian product** checkbox appears on nodes you add to playbooks. Clicking this checkbox causes the node to use the [Cartesian product](https://en.wikipedia.org/wiki/Cartesian_product) method to loop through items in arrays processed by the node.
-
-})
-
-For example, suppose one input field is for signal name, and another is for signal value. If you have 2 arrays like this, and each array has 3 items, the Cartesian product evaluation pairs each item from the first set with each item from the second set, which will produce 9 pairs (3x3). Without Cartesian product evaluation, only matching position items are paired, which will produce 3 pairs (equal to the number of items).
-
-:::warning
-Use the **Cartesian product** checkbox with caution. For most cases, deselect the **Cartesian product** checkbox when creating playbooks. Large array fields in the input can result in the action being called many times, causing the action to exceed the [actions limit](/docs/platform-services/automation-service/about-automation-service/#actions-limit). Only select this checkbox if you want to evaluate data from array input fields using the Cartesian product method.
-:::
-
-### "Split by" field in a filter node
-
-When you [add a filter node](#add-a-filter-node-to-a-playbook), use the **Split by** field to evaluate each item separately in arrays (lists).
-
-})
-
-Each item in arrays is checked against the filter condition. If the condition is true for an item, the item is passed to the next node. If you do not use the **Split by** field on an output that is a list, then if the condition is true for any item in the list, the entire list moves forward to the next node.
-
-## Troubleshoot playbooks
-
-You can run playbooks in automations for [monitors](/docs/alerts/monitors/use-playbooks-with-monitors/), [Cloud SIEM](/docs/cse/automation/automations-in-cloud-siem/), or [Cloud SOAR](/docs/cloud-soar/automation/). If a playbook has a problem when it runs in an automation, an error message often displays in the playbook providing information about the problem.
-
-:::tip
-To test a playbook before using it in an automation, see [Test a playbook](/docs/platform-services/automation-service/automation-service-playbooks/#test-a-playbook).
-:::
-
-### Open playbooks that require investigation
-
-#### Open a playbook from an alert
-
-1. Access the [alert list](/docs/alerts/monitors/alert-response/#alert-list).
-1. Open an alert that uses a playbook.
-1. On the alert details page, click the **Playbooks** button to see [automated playbooks](/docs/alerts/monitors/use-playbooks-with-monitors/#view-automated-playbooks-for-an-alert) attached to the alert. })
-1. Hover your mouse over the icon to the right of the playbook to see its status. In the example above, the playbook completed with errors.
-1. To investigate the problem, click the playbook name. The playbook opens in the Automation Service and any issues display in the results section.})
-
-Proceed to [Investigate playbook problems](#investigate-playbook-problems) below to look into playbook problems.
-
-#### Open a playbook from Cloud SIEM
-
-1. Open an [Insight](/docs/cse/get-started-with-cloud-siem/about-cse-insight-ui/) or [Entity](/docs/cse/records-signals-entities-insights/view-manage-entities/) that uses playbooks (that is, that has [automations](/docs/cse/automation/automations-in-cloud-siem)).
-1. Click the **Automations** button at the top of the page to view the automations on the Insight or Entity. })
-1. Click **View Playbook** for a playbook you want to investigate. In the example above, the playbook we want to investigate completed with errors. The playbook opens in the Automation Service, and the issues display in the results section. })
-
-Proceed to [Investigate playbook problems](#investigate-playbook-problems) below to look into playbook problems.
-
-#### Open a playbook from Cloud SOAR
-
-1. Open an [Incident](/docs/cloud-soar/incidents-triage/#incidents).
-1. On the [incident details](/docs/cloud-soar/incidents-triage/#incident-details) page, select **Operations > Playbooks**. Playbooks appear that have run for the incident. })
-1. Click **Graph View** in the upper-right and click **>** to page through the playbooks. })
-1. Click a node on the playbook that displays an error.
-
-Proceed to [Investigate playbook problems](#investigate-playbook-problems) below to look into playbook problems.
-
-### Investigate playbook problems
-
-After you have [opened a playbook that requires investigation](/docs/platform-services/automation-service/automation-service-playbooks/#open-playbooks-that-require-investigation), follow the steps below to investigate problems with the playbook.
-
-1. The **Filtered Results** section shows the status of actions that ran on the playbook. The example below shows two failed actions that require investigation. })
-1. Click an action for an explanation of the problem. })
-1. For more detailed information about the action, click the **Graph View** in the upper right and then click on the action. A pane opens that displays more information about the action. })
-1. Sometimes the playbook's payload will provide more information about why an action has a problem. To view the playbook's payload, click **>** to the right of the playbook name. }){kind=icon}
-1. Examine the [playbook payload](#playbook-payloads) for information that might help you resolve the problem. For example, the payload may be able to tell you if a field has not been properly passed from a previous action, or a field was unintentionally left blank that the action requires.})
-1. Based on what you uncover during investigation, you may need to make changes to the playbook and then [test the playbook](#test-a-playbook) to ensure it works correctly.
-
-
-### Common playbook problems
-
-Following are some common problems that can occur with playbooks:
-* **No response from the bridge**The [automation bridge](/docs/platform-services/automation-service/automation-service-bridge/) is offline, or the bridge does not have the egress firewall settings to handle the outbound request. -* **API rate limiting issues**
The vendor has capped the number of requests that can be made to their API in a certain time frame. -* **HTTPS connection pool issues**
There are no available connections at the vendor, usually indicative of a vendor API health issue. -* **A required field is empty that the action is looking for**
A field has not been properly passed from a previous action, or a field was unintentionally left blank that the action requires. -* **Permission denied**
The API key is incorrect on the [integration resource](/docs/platform-services/automation-service/about-automation-service/#configure-the-connection-for-an-integration-resource), or the account running the playbook has invalid credentials or insufficient permissions. -* **You have exceeded the actions limit**
The number of actions that your organization can run per hour is limited to a certain threshold. Any actions that are launched beyond this [actions limit](/docs/platform-services/automation-service/about-automation-service/#actions-limit) will not run. You might exceed the limit if: - * There are alert surges.
- * The playbook is not optimized properly and actions are stuck in a loop. - * There are Cartesian flag issues (too many nested elements to process as part of the returned API result). diff --git a/docs/platform-services/automation-service/index.md b/docs/platform-services/automation-service/index.md index 951d851621..14b7c7b526 100644 --- a/docs/platform-services/automation-service/index.md +++ b/docs/platform-services/automation-service/index.md @@ -32,7 +32,7 @@ In this section, we'll introduce the following concepts:
[**New UI**](/docs/get-started/sumo-logic-ui). In the main Sumo Logic menu, select **Automation > Playbooks**. You can also click the **Go To...** menu at the top of the screen and select **Playbooks**.
[**Classic UI**](/docs/get-started/sumo-logic-ui-classic). In the main Sumo Logic menu, select **Automation > Playbooks**.
The list of playbooks displays. You can click on any of the existing playbooks which will open the playbook diagram in the sidebar on the right. You can view here the individual nodes and sequences in the selected playbook, to give you an idea of the type of actions and structures that you can create. Playbooks can have any number of actions, as well as branching conditions to manage different sequences of actions, depending on selected criteria. You can click on any component of a playbook to see more detailed information about each node. -1. Let's [create a playbook](/docs/platform-services/automation-service/automation-service-playbooks/#create-a-new-playbook) of our own that will send an email notification when a Cloud SIEM insight is created with a high severity. +1. Go to the [Playbooks](/docs/platform-services/automation-service/playbooks/create-playbooks/#view-playbooks) page.
[**New UI**](/docs/get-started/sumo-logic-ui). In the main Sumo Logic menu, select **Automation > Playbooks**. You can also click the **Go To...** menu at the top of the screen and select **Playbooks**.
[**Classic UI**](/docs/get-started/sumo-logic-ui-classic). In the main Sumo Logic menu, select **Automation > Playbooks**.
The list of playbooks displays. You can click on any of the existing playbooks which will open the playbook diagram in the sidebar on the right. You can view here the individual nodes and sequences in the selected playbook, to give you an idea of the type of actions and structures that you can create. Playbooks can have any number of actions, as well as branching conditions to manage different sequences of actions, depending on selected criteria. You can click on any component of a playbook to see more detailed information about each node. +1. Let's [create a playbook](/docs/platform-services/automation-service/playbooks/create-playbooks/#create-a-new-playbook) of our own that will send an email notification when a Cloud SIEM insight is created with a high severity. 1. Click the plus icon near the top to create a new playbook.
})
1. Enter a name for the playbook, such as "Send Cloud SIEM Insight Email Notification". You can optionally enter a description. Select **Cloud SIEM** as the **Type** for the playbook.})
1. Click **Create** when finished.
1. On the following screen you will see the starting template for your new empty playbook, with **Start** and **End** nodes. Switch to edit mode by clicking on the **Edit** (pencil) icon in the bottom toolbar.})
1. Before we start adding actions to our playbook, we’ll want to set up the initial configuration of the playbook so we get the proper inputs from the Cloud SIEM insight. Mouse over the **Start** node, and click the **Edit** (pencil) icon.})
- 1. In the **Edit Node** popup, go to the **Add one or more params as a playbook input** field and select **Insight**. Choosing **Insight** automatically populates the popup view with a number of input parameters that will be added to the playbook from the corresponding insight. (For more information about these parameters, see [Insight payload variables](/docs/platform-services/automation-service/automation-service-playbooks/#insight-payload-variables).)
+ 1. In the **Edit Node** popup, go to the **Add one or more params as a playbook input** field and select **Insight**. Choosing **Insight** automatically populates the popup view with a number of input parameters that will be added to the playbook from the corresponding insight. (For more information about these parameters, see [Insight payload variables](/docs/platform-services/automation-service/playbooks/playbook-payloads/#insight-payload-variables).)
1. Click **Update** to save and close the input parameters.
1. Now let's add an action node to the playbook.
1. Click the **+** symbol on the **Start** node.
@@ -183,7 +183,7 @@ Now that those integrations are configured, let’s use the Automation Service t
1. In your playbook, go to the kebab icon in the upper right corner and select **Run Test**.
1. For **Input** select **Insight** and in **ID** enter the insight ID.
1. Click **Run**.})
- 1. The playbook runs. If errors occur, click the nodes with errors and [troubleshoot the playbook](/docs/platform-services/automation-service/automation-service-playbooks/#troubleshoot-playbooks).})
+ 1. The playbook runs. If errors occur, click the nodes with errors and [troubleshoot the playbook](/docs/platform-services/automation-service/playbooks/troubleshoot-playbooks/).
1. After the playbook runs, the email recipient should get an email that looks like this:})
#### Create a custom automation to run your Cloud SIEM insights playbook
@@ -211,7 +211,7 @@ To test the automation you created in the [previous section](#create-a-custom-au
1. Click **Actions** in the left sidebar of the insight and select your automation from the list. (If you do not see your automation, you may need to leave and return to Cloud SIEM to refresh the list.)})
1. You should see a green popup at the bottom indicating that your automation was successfully submitted for execution. })
1. Click the **Automations** tab on the top of the screen to see the results of executing your automation. **Status** will display the results of the playbook's run, such as **Success** or **Completed with errors**. })
-1. Click the **View Playbook** to see more details about the playbook's execution, such as an explanation about any errors that occurred. (See [Troubleshoot playbooks](/docs/platform-services/automation-service/automation-service-playbooks/#troubleshoot-playbooks) for help if your playbook run has problems.)})
+1. Click the **View Playbook** to see more details about the playbook's execution, such as an explanation about any errors that occurred. (See [Troubleshoot Playbooks](/docs/platform-services/automation-service/playbooks/troubleshoot-playbooks/) for help if your playbook run has problems.)
1. If the automation execution was successful, and you included your email in the playbook email notification when you created, your inbox should have an email from the Cloud SIEM system with the insight details as designed in the playbook.})
You now have a custom automation that can be manually run or attached to insight creation or closing.
@@ -235,7 +235,7 @@ For this playbook let’s presume we have some AWS EC2 instances that are being
1. Edit the playbook:
1. Click the **Edit** (pencil) icon to start editing your playbook.
1. Click the pencil icon underneath the **Start** node.
- 1. In the **Edit node** dialog, in the **Add one or more params as a playbook input** field select **Alert** as the playbook input. The dialog box will auto-populate with a number of parameters related to the source alert. (For more information about these parameters, see [Alert payload variables](/docs/platform-services/automation-service/automation-service-playbooks/#alert-payload-variables).)})
+ 1. In the **Edit node** dialog, in the **Add one or more params as a playbook input** field select **Alert** as the playbook input. The dialog box will auto-populate with a number of parameters related to the source alert. (For more information about these parameters, see [Alert payload variables](/docs/platform-services/automation-service/playbooks/playbook-payloads/#alert-payload-variables).)
1. In this case, we also want to add a custom parameter to facilitate later actions. Scroll down to the bottom of the **Edit node** dialog and click **Add New Param**.
1. Type the following as the parameter name: `customPlaceholderMap[]."cloud.instance.id"`})
1. Click **Update** when finished.
@@ -291,4 +291,4 @@ When the monitor you configured in the previous section triggers an alert, the p
1. To get to your alert list, from the [**New UI**](/docs/get-started/sumo-logic-ui), select **Alerts > Alert List**. From the [**Classic UI**](/docs/get-started/sumo-logic-ui-classic), click the bell icon in the top menu.
1. Select the alert triggered by the monitor that has the playbook attached.
1. On the alert details page, click **Playbooks** in the upper right corner. This opens a sidebar listing the playbook attached to the monitor. })
-1. Click the playbook link in the sidebar. This opens the playbook results page in another browser tab, showing you the results of each playbook action. If the playbook ran with errors, see [Troubleshoot playbooks](/docs/platform-services/automation-service/automation-service-playbooks/#troubleshoot-playbooks) for help.
\ No newline at end of file
+1. Click the playbook link in the sidebar. This opens the playbook results page in another browser tab, showing you the results of each playbook action. If the playbook ran with errors, see [Troubleshoot Playbooks](/docs/platform-services/automation-service/playbooks/troubleshoot-playbooks/) for help.
\ No newline at end of file
diff --git a/docs/platform-services/automation-service/playbooks-in-app-central.md b/docs/platform-services/automation-service/playbooks-in-app-central.md
index fd2731ff77..cf6677958a 100644
--- a/docs/platform-services/automation-service/playbooks-in-app-central.md
+++ b/docs/platform-services/automation-service/playbooks-in-app-central.md
@@ -10,7 +10,7 @@ import SamplePlaybooks from '../../reuse/automation-service/sample-playbooks.md'
A playbook is a predefined set of actions and conditional statements that run in an automated workflow to respond to a certain event or incident type.
-While [playbooks](/docs/platform-services/automation-service/automation-service-playbooks/) in the Automation Service UI show the playbooks installed to your environment, the **Playbooks** tab in App Central shows you additional playbooks you can install.
+While [playbooks](/docs/platform-services/automation-service/playbooks/) in the Automation Service UI show the playbooks installed to your environment, the **Playbooks** tab in App Central shows you additional playbooks you can install.
### Install a playbook from App Central
diff --git a/docs/platform-services/automation-service/playbooks/arrays-in-playbooks.md b/docs/platform-services/automation-service/playbooks/arrays-in-playbooks.md
new file mode 100644
index 0000000000..1402274c17
--- /dev/null
+++ b/docs/platform-services/automation-service/playbooks/arrays-in-playbooks.md
@@ -0,0 +1,53 @@
+---
+id: arrays-in-playbooks
+title: Arrays in Playbooks
+sidebar_label: Arrays in Playbooks
+description: Learn how to handle arrays in Automation Service playbooks.
+---
+
+import useBaseUrl from '@docusaurus/useBaseUrl';
+
+An array is a collection of related data values grouped together. When you are handling output from a playbook action, you may want to treat the entire array as a single item you want to pass to the next action, or you may want to treat each element in the array as a separate item. In playbooks, you can do either.
+
+## Arrays in text areas
+
+When you create an action, sometimes you are presented with a text area that includes an "Insert placeholder" icon . When you click the icon, it allows you to add placeholders to the text area for input or output.
+
+Perform the following steps to add a placeholder to a text area to handle an array in output from a previous action. This allows you to process an array as a single element or multiple elements.
+1. [Create a playbook](/docs/platform-services/automation-service/playbooks/create-playbooks/#create-a-new-playbook) and [add action nodes](/docs/platform-services/automation-service/playbooks/create-playbooks/#add-an-action-node-to-a-playbook).
+1. Edit an action node that displays a text area.
+1. In the following example, the **Send Email** action shows text areas for the email's subject, body, and HTML. Click an "Insert placeholder" icon for one of the fields, for example, **HTML Content**.
+1. Select a value from a previous action. In this example, we'll choose **Get Insight**.
+1. Select **Outputs**. Only the arrays in the output show these icons:
+1. Click the icon for how you want the array to be handled by the action:
+ * **Loop**. Loops through the array so that the action is run for each item in the array.
+ * **Combine**. Combines all items in the array into a single value run by the action.
+1. The variable is inserted into the text area preceded by the icon for whether the contents of the array are looped or combined.
+
+In this example, the action will be run for each item in the array ("looped").
+
+:::note
+The [**Cartesian Product**](#cartesian-product) checkbox is disabled if any variable is selected using the loop feature in the text area.
+
+:::
+
+## Cartesian product
+
+The **Cartesian product** checkbox appears on nodes you add to playbooks. Clicking this checkbox causes the node to use the [Cartesian product](https://en.wikipedia.org/wiki/Cartesian_product) method to loop through items in arrays processed by the node.
+
+
+
+For example, suppose one input field is for signal name, and another is for signal value. If you have 2 arrays like this, and each array has 3 items, the Cartesian product evaluation pairs each item from the first set with each item from the second set, which will produce 9 pairs (3x3). Without Cartesian product evaluation, only matching position items are paired, which will produce 3 pairs (equal to the number of items).
+
+:::warning
+Use the **Cartesian product** checkbox with caution. For most cases, deselect the **Cartesian product** checkbox when creating playbooks. Large array fields in the input can result in the action being called many times, causing the action to exceed the [actions limit](/docs/platform-services/automation-service/about-automation-service/#actions-limit). Only select this checkbox if you want to evaluate data from array input fields using the Cartesian product method.
+:::
+
+## "Split by" field in a filter node
+
+When you [add a filter node](/docs/platform-services/automation-service/playbooks/create-playbooks/#add-a-filter-node-to-a-playbook), use the **Split by** field to evaluate each item separately in arrays (lists).
+
+
+
+Each item in arrays is checked against the filter condition. If the condition is true for an item, the item is passed to the next node. If you do not use the **Split by** field on an output that is a list, then if the condition is true for any item in the list, the entire list moves forward to the next node.
+
diff --git a/docs/platform-services/automation-service/playbooks/create-playbooks.md b/docs/platform-services/automation-service/playbooks/create-playbooks.md
new file mode 100644
index 0000000000..9640d92f9a
--- /dev/null
+++ b/docs/platform-services/automation-service/playbooks/create-playbooks.md
@@ -0,0 +1,265 @@
+---
+id: create-playbooks
+title: Create Playbooks
+sidebar_label: Create Playbooks
+description: Learn how to create playbooks in the Automation Service to run automated actions.
+---
+
+import useBaseUrl from '@docusaurus/useBaseUrl';
+import CartesianProduct from '../../../reuse/cartesian-product.md';
+
+## View playbooks
+
+The following procedure describes how to view playbooks already installed in your environment. To add more playbooks, [create a playbook](#create-a-new-playbook), or [install a playbook from App Central](/docs/platform-services/automation-service/playbooks-in-app-central/#install-a-playbook-from-app-central).
+
+1. [**New UI**](/docs/get-started/sumo-logic-ui). In the main Sumo Logic menu, select **Automation > Playbooks**. You can also click the **Go To...** menu at the top of the screen and select **Playbooks**. The list of playbooks displays.
[**Classic UI**](/docs/get-started/sumo-logic-ui-classic). In the main Sumo Logic menu, select **Automation > Playbooks**.
})
+1. Select a playbook to see the elements in the workflow.})
+1. Click the elements in the playbook to see their details. For example, click actions (the boxes in the flow) to see the [integration](/docs/platform-services/automation-service/automation-service-integrations/) resources that provide the actions.})
+
+## Create a new playbook
+
+Before you create your own playbook, first [view playbooks](#view-playbooks) to make sure there isn't one already that does what you want to accomplish, and also check to see if you can [install a playbook from App Central](/docs/platform-services/automation-service/playbooks-in-app-central/#install-a-playbook-from-app-central) that does what you need. After you create a playbook, you can run it in automations for [monitors](/docs/alerts/monitors/use-playbooks-with-monitors/), [Cloud SIEM](/docs/cse/automation/automations-in-cloud-siem/), or [Cloud SOAR](/docs/cloud-soar/automation/).
+
+:::tip
+The following procedure provides a brief introduction to how to create a playbook. For detailed examples of how to create playbooks, see the [Cloud SIEM automation examples](/docs/cse/automation/cloud-siem-automation-examples/).
+:::
+
+1. [**New UI**](/docs/get-started/sumo-logic-ui). In the main Sumo Logic menu, select **Automation > Playbooks**. You can also click the **Go To...** menu at the top of the screen and select **Playbooks**. [**Classic UI**](/docs/get-started/sumo-logic-ui-classic). In the main Sumo Logic menu, select **Automation**.
Previously-created playbooks display. +1. Click the **+** button to the left of **Playbook**.
+1. A new configuration box will be displayed. Name your new playbook.
+1. Select the incident **Type**. (For example, for Cloud SIEM automations, select **Cloud SIEM**. For playbooks run from inside another playbook, you can select another incident type to associate with it, for example, **Denial of Service**, **Malware**, **Phishing**, and so on.)
+1. Enter a **Description** of the playbook to help others understand how to use it.
+1. Click **Create**. The new playbook appears in the list of available playbooks.
+1. To configure the new playbook, select it from the list and click the **Edit** button at the bottom of the screen.})
+1. The **Start** node displays a **+** icon and an **Edit** icon. Click the **Edit** icon. })
The **Edit node** dialog appears.
})
+1. Click the dropdown arrow on **Add one or more params as a playbook input** and select the kind of trigger that will execute the playbook:
+ * **Insight**. An [Insight](/docs/cse/get-started-with-cloud-siem/about-cse-insight-ui/) from an [automation in Cloud SIEM](/docs/cse/automation/automations-in-cloud-siem/).
+ * **Entity**. An [Entity](/docs/cse/records-signals-entities-insights/view-manage-entities/) from an [automation in Cloud SIEM](/docs/cse/automation/automations-in-cloud-siem/).
+ * **Alert**. An [alert](/docs/alerts/) from an [automated playbook in a monitor](/docs/alerts/monitors/use-playbooks-with-monitors/).
+ * **Parse from json**. A payload from a [parent playbook](/docs/platform-services/automation-service/playbooks/create-playbooks/#add-a-playbook-node-to-a-playbook). (You can also select this option if you want to pass a custom payload from an alert.)
+ * Leave blank if the trigger will run by a Cloud SOAR incident. See [Run playbooks in Cloud SOAR](/docs/cloud-soar/automation/#run-playbooks-in-cloud-soar).
+1. When you select one of these options, standard parameters for the trigger type are displayed. (If you select **Parse from json**, a box appears for you to enter the JSON payload.) Click the **Remove** icon to remove any parameters you don't want passed into the playbook, and if you want to add more parameters, click **Add New Param** at the bottom of the dialog.
+1. Click **Update**. The playbook will display a black screen with a **Start** node and an **End** node. These nodes dictate the beginning and the end of the playbook's automation sequence. You can drag and drop them anywhere on the screen to allow you space to add multiple nodes between them.
+1. To add the first node in the playbook, click the **+** on the **Start** node. The **Add node** page is displayed.})
+
+See [Add nodes to a playbook](/docs/platform-services/automation-service/playbooks/create-playbooks/#add-nodes-to-a-playbook) for next steps.
+
+
+## Add nodes to a playbook
+
+You can add nodes to a playbook when you either create a new playbook, or edit an existing playbook. To add a node to a playbook, hover your mouse over an existing node, such as the **Start** node, and click on the **+** button that appears on the node. A *node* is a step in a playbook. Nodes run in the order they are placed in a playbook. When all nodes run without error, the playbook is considered to have executed successfully.
+
+See the following sections to learn how to add the following node types:
+ * [**Action**](#add-an-action-node-to-a-playbook). Automatically take specific actions such as enriching data or taking containment steps.
+ * [**Condition**](#add-a-condition-node-to-a-playbook). Use conditional statements to define what actions should be taken in response to previous inputs.
+ * [**Playbook**](#add-a-playbook-node-to-a-playbook). Call other playbooks in response to conditional statements.
+ * [**Task**](#add-a-task-node-to-a-playbook). Assign a task to an individual.
+ * [**User Choice**](#add-a-user-choice-node-to-a-playbook). Pause playbook execution until a user selects an option.
+ * [**Filter**](#add-a-filter-node-to-a-playbook). Filter results from the preceding action.
+
+### Add an action node to a playbook
+
+An action node in a playbook runs an operation. You can string actions together in the playbook to perform a workflow.
+
+:::tip
+For examples of adding actions to playbooks, see the [Cloud SIEM automation examples](/docs/cse/automation/cloud-siem-automation-examples/).
+:::
+
+:::info
+Before you can add action nodes to a playbook, you must [configure the connection](/docs/platform-services/automation-service/about-automation-service/#configure-the-connection-for-an-integration-resource) for each integration resource that actions originate from.
+:::
+
+1. Either [create a new playbook](#create-a-new-playbook) as described above, or edit an existing playbook.
+1. Hover your mouse over an existing node, such as the **Start** node, and click on the **+** button that appears.})
+1. The **Add node** page displays.
+1. Select **Action**. The action node configuration screen displays.})
+1. Give a **Node name** that identifies the action being taken.
+1. Select **Manual execution** if the node will require manual intervention to run. For example, an analyst may need to add information before executing the node.
+1. Select the [**Integration**](/docs/platform-services/automation-service/automation-service-integrations/) to supply the action for the node.
+1. Select the **Type** of action:
+ * **Containment**. Performs some sort of response or remediation action, such as resetting a user's password or blocking a domain on your firewall.
+ * **Custom**. Performs an action defined in a custom action YAML file. For an example of a custom action created for Cloud SIEM, see [Advanced example: Configure a custom integration](/docs/cse/automation/cloud-siem-automation-examples/#advanced-example-configure-a-custom-integration).
+ * **Enrichment**. Enriches data with additional information, such as adding information about a known malicious IP address.
+ * **Notification**. Sends a notification, for example, an email or a post in a messaging service.
+ * **Scheduled**. Runs an action on a schedule once the playbook starts. For example, the action regularly checks a condition, and once the condition is met, the next playbook actions are executed.
+ :::note
+ The **Type** drop-down menu shows only the action types available in the selected integration.
+ :::
+1. Select the **Action** from the drop-down list. The dialog updates to show the integration resource that the action originates from, along with additional fields you must fill out to configure how you would like the action to be performed.})
+1. Fill out the fields with the specific information required by the action. For more information about the action, you can [view the integration that provides the action](/docs/platform-services/automation-service/automation-service-integrations/#view-integrations).
+1. Deselect the **Cartesian product** checkbox.
+ :::warning
+ })
+1. When you are ready to allow the playbook to be used in automations, click the **Publish** button at the bottom of the playbook window.})
+
+### Add a condition node to a playbook
+
+Define a conditional statement to be met before the next node can be executed.
+
+:::tip
+For examples of adding conditions to playbooks, see the [Cloud SIEM automation examples](/docs/cse/automation/cloud-siem-automation-examples/).
+:::
+
+1. Either [create a new playbook](#create-a-new-playbook) as described above, or edit an existing playbook.
+1. Hover your mouse over an existing node and click on the **+** button that appears. })
+1. The **Add node** dialog displays.
+1. Select **Condition**. The condition node configuration dialog displays.})
+1. Deselect the **Cartesian product** checkbox.
+ :::warning
+ })
+1. The condition node configuration dialog displays again. Under **Condition1**, click **Select a value**.})
+1. Click **Get Value** and select from the drop-down menu whether the value will evaluate to **true (bool)**, **false (bool)**, or **empty**. You can also manually enter a value, such as a string or numeric literal.})
+1. Under **Get value from a previous action**, select the value to feed into the condition. The example shows **Get Devices** and **Playbook inputs** that came from the previous action. (The condition must be linked by a line to the previous action node to receive outputs from the action.) Click the options from the previous action and select which output type (for example, hashes, IP addresses, domains) to evaluate and add it to the condition.
+1. The selected output type will be displayed under **Condition 1**. Select which condition you would like for the output results to meet from the inequality operators below and click **Select a value** to define the condition.
+1. Now that **Condition 1** is defined, you can choose to filter your results further by selecting an **AND/OR** operator to define another condition.
+ :::warning
+ If you define multiple conditions, all the conditions must be filtered with either **AND** or **OR**. If some are filtered with **AND** and some with **OR**, then the condition evaluation will fail.
+ :::
+1. Click **Update**.
+1. When you create a new condition, you need to define what happens when the results meet one of your criteria. Draw lines to nodes to define the flow for success, failure, or other condition options.
+
+### Add a task node to a playbook
+
+Define a task to assign to an individual, such as a security analyst.
+
+1. Either [create a new playbook](#create-a-new-playbook) as described above, or edit an existing playbook.
+1. Hover your mouse over an existing node and click on the **+** button that appears.
+1. The **Add node** dialog displays.
+1. Select **Task**. The task node configuration dialog displays.})
+1. Give the node a **Title** that will display in the playbook.
+1. Type a **Description** of the task the owner will perform. If desired, you can click the variable icon
}){kind=icon}
and click in the resulting box to display a list of variables you can add to the description.
+1. For **Authorizer**, select the user assigning the task.
+1. For **Owner**, select the user assigned the task.
+1. In **Due date**, enter the number of days from the time when the action is run before the task is due.
+1. Select **mandatory** if the task must be performed in order for the playbook to continue.
+1. In **Actual effort**, enter the number of days expected to complete the task. (The owner will subsequently record the actual number of days spent on the effort.)
+1. In **Progress**, select percent toward completion, for example, 10%, 20%, and so on. (The owner will subsequently record their progress.)
+1. Select the **Priority** (Low, Normal, Important, or Urgent).
+1. Click **Create**.
+
+Following is an example of a task node in a running playbook. Click the **Task** node to view more about its status. Status information opens in a box to the left. In the following example of an action whose status is **Waiting Owner**, an **Action Task** appears in the box that describes user interaction required to complete the task.
+
+})
+
+If a user has an action marked as **Waiting Owner**, they must perform the steps needed to complete the **Action Task**. When done, they click the appropriate button at the bottom of the **Waiting Owner** action box (**Approve**, **Approve & Close**, or **Reject**). The action completes, and the subsequent remaining actions in the playbook run.
+
+})
+
+### Add a user choice node to a playbook
+
+When a user choice node is encountered, the execution will pause until a user selects an option. For example, after enrichment, a user could be asked whether to proceed with a containment action or to perform additional enrichment first. When a playbook is paused at a user choice node, the status of that playbook will say **Waiting user interaction**.
+
+1. Either [create a new playbook](#create-a-new-playbook) as described above, or edit an existing playbook.
+1. Hover your mouse over an existing node and click on the **+** button that appears. +1. The **Add node** dialog displays.
+1. Select **User Choice**. The user choice node configuration dialog displays.})
+1. Type a **Question** for the user. The answers they can choose from are provided by the **Answers** field.If desired, you can click the variable icon
and click in the resulting box to display a list of variables you can add to the description.
+1. In **Answers**, enter selections that the user can choose from. By default, **success** and **failure** are provided.
+1. For **Authorizer**, select the authorizer of the user choice.
+1. Select **Expires** if you want the user choice to expire after a set amount of time so that the playbook can proceed when no choice is made. If you do not select **Expires**, the playbook does not proceed until the user makes a choice. If you select **Expires**, fill out additional fields for the amount of time to pass before expiration, and the **Default answer** to automatically be chosen at the end of the expiration period.
+1. Click **Create**.
+
+Following is an example of a user choice node. Note the the node branches to the next node depending on the user's answer.
+
+})
+
+### Add a playbook node to a playbook
+
+Define a playbook to run inside another playbook. For example, you may want to call another playbook in response to a [condition](#add-a-condition-node-to-a-playbook) statement.
+
+1. Either [create a new playbook](#create-a-new-playbook) as described above, or edit an existing playbook.
+1. Hover your mouse over an existing node and click on the **+** button that appears. +1. The **Add node** dialog displays.
+1. Select **Playbook**. The playbook node configuration dialog displays.})
+1. In the **Playbook** drop-down menu, select the playbook to run.
+1. Click **Create**.
+
+### Add a filter node to a playbook
+
+A filter node filters results from the preceding action based on the condition you write. You can only add a filter node after an action node. For example, let's suppose that the action feeding into the filter has 10 results, but you want to filter out all but the best two results. You can write a condition in the filter to do the filtering.
+
+1. [Add an action node](#add-an-action-node-to-a-playbook).
+1. Hover your mouse over an action node and click the **+** button. The available nodes are displayed. })
+1. Click **Filter**. The filter node configuration dialog displays. })
+1. (Optional) Use **Split by** to select an output if it is a list (array) and you want to evaluate each item separately. See ["Split by" field in a filter node](/docs/platform-services/automation-service/playbooks/arrays-in-playbooks/#split-by-field-in-a-filter-node) for more information.
+1. Configure the conditions you want to use for filtering.
+1. Deselect the **Cartesian product** checkbox.
+ :::warning
+ })
+
+When the automatic save is complete, the following notification lets you know.})
+
+To enable or disable autosave, use [playbook preferences](#playbook-preferences).
+
+### Versions
+
+To publish a playbook so that others may use it, click the publish button at the bottom of the playbook screen.})
+
+Every time you publish a playbook, a new version of the playbook is retained. In the screen image below, notice how all the versions of the playbook are listed (#4 being the published version as indicated by the publish icon). Click on a version to edit it, and if you want, publish it. In this way, you maintain version control of your playbooks, and ensure that all versions are retained.
+
+})
+
+## Enable or disable playbooks
+
+You can enable playbooks for use in automations, or disable them to prevent them from being used. This gives you greater control over when a playbook can be run. If for example a playbook is causing a problem, such as exceeding your actions limit or sending too many emails, you could temporarily disable the playbook until you remedy the issue.
+
+When enabling or disabling playbooks, keep in mind:
+* By default, draft playbooks are disabled.
+* Playbooks without any published versions are initially disabled and will be automatically enabled upon publishing their first version.
+* Disabled playbooks cannot be triggered automatically.
+* Deleted playbooks are set to disabled and remain so after restoration.
+* Cloned or imported playbooks are enabled by default, irrespective of the original playbook's status.
+* [Audit logs](/docs/platform-services/automation-service/automation-service-audit-logging/) are generated whenever playbooks are enabled or disabled manually.
+
+### How to enable or disable a playbook
+
+To enable or disable a playbook, open the playbook and click the toggle.})
})
+
+The **Status** column shows whether a playbook is enabled }){kind=small}
or disabled }){kind=small}
.
+
+})
+
+### Enable on publish
+
+To publish a playbook, click the **Publish** button at the bottom of the playbook window:
+
+When you publish a playbook:
+* Playbooks without any published versions are automatically enabled.
+* Playbooks that have previously published versions will display an **Enable playbook on publish** option if they are in a disabled state:})
+
+## Playbook preferences
+
+1. Click the preferences button in the upper-right corner of the screen.})
+2. Configure preferences in the **Playbooks Preferences** screen.})
+
+### Autosave preference
+
+Select **Enable Autosave for all playbooks** to ensure that while editing a playbook, all changes will be automatically saved to the draft. For more information, see [Autosave](#autosave).
+
+## Import and export playbooks
+
+With the mechanism to import and export playbooks, you can move a playbook, along with all its configurations, from one instance to another. The file should be in tar.gz format and adhere to naming conventions.
+
+1. Click on the Export icon located next to the playbook name.})
+1. Upon clicking, the tar.gz archive download will be initiated.
+1. At this point, you can open the archive, modify the configuration data, recreate a tar.gz archive, and upload it. To upload the file, click on the Import icon.})
+1. Select the desired file and click Import. })
+
+It is crucial that the file names inside the tar.gz adhere to the following format: `
+
\ No newline at end of file
diff --git a/docs/platform-services/automation-service/playbooks/playbook-payloads.md b/docs/platform-services/automation-service/playbooks/playbook-payloads.md
new file mode 100644
index 0000000000..f28f3b5d92
--- /dev/null
+++ b/docs/platform-services/automation-service/playbooks/playbook-payloads.md
@@ -0,0 +1,448 @@
+---
+id: playbook-payloads
+title: Playbook Payloads
+sidebar_label: Playbook Payloads
+description: Learn about the data payloads of the different playbook types.
+---
+
+import useBaseUrl from '@docusaurus/useBaseUrl';
+
+When a playbook is run, a payload is passed from the initial object to the playbook (for example, from an alert, entity, or Insight). The variables in the payload can be assigned to parameters and used as inputs for different actions in the playbook.
+
+You select the initial object to use for the payload when you [create a playbook](/docs/platform-services/automation-service/playbooks/create-playbooks/#create-a-new-playbook). In the **Add one or more params as a playbook input** field, you select the kind of trigger that will execute the playbook:
+
+
+ })
+Create Playbooks
+Learn how to create playbooks in the Automation Service to run automated actions.
+
+
+
+
+Playbook Payloads
+Learn about the data payloads of the different playbook types.
+
+
+
+
+Arrays in Playbooks
+Learn how to handle arrays in Automation Service playbooks
+
+
+
+
+Troubleshoot Playbooks
+Learn how to test playbooks and troubleshoot playbook problems.
+
+ * **Insight**. An [Insight](/docs/cse/get-started-with-cloud-siem/about-cse-insight-ui/) from an [automation in Cloud SIEM](/docs/cse/automation/automations-in-cloud-siem/).
+ * **Entity**. An [entity](/docs/cse/records-signals-entities-insights/view-manage-entities/) from an [automation in Cloud SIEM](/docs/cse/automation/automations-in-cloud-siem/).
+ * **Alert**. An [alert](/docs/alerts/) from an [automated playbook in a monitor](/docs/alerts/monitors/use-playbooks-with-monitors/).
+ * **Parse from json**. A payload from a [parent playbook](/docs/platform-services/automation-service/playbooks/create-playbooks/#add-a-playbook-node-to-a-playbook). You can also select this option if you want to pass a custom payload from an alert.
+ * Leave blank if the trigger will be a Cloud SOAR [incident or triage](/docs/cloud-soar/incidents-triage).
+
+:::note
+If you are using [nested playbook nodes](/docs/platform-services/automation-service/playbooks/create-playbooks/#add-a-playbook-node-to-a-playbook), then you will need to configure the parameters of the Start Node in the child playbook to include the outputs of the parent playbook that are passed to the child playbook. It is not recommended to use parameter arrays (for example, `signals[].id`) as the Start Node parameters for the child playbook; you should use a standard parameter names instead (for example, `signals.id`).
+:::
+
+Following are examples of payloads from different trigger types:
+* [Alert payload](#alert-payload)
+* [Entity payload](#entity-payload)
+* [Insight payload](#insight-payload)
+
+## Alert payload
+
+### View an alert payload
+
+1. Access the [alert list](/docs/alerts/monitors/alert-response/#alert-list).
+1. Open an alert that uses a playbook.
+1. On the alert details page, click the **Playbooks** button to see [automated playbooks](/docs/alerts/monitors/use-playbooks-with-monitors/#view-automated-playbooks-for-an-alert) attached to the alert.
+1. Click the playbook name. The playbook opens in the Automation Service.
+1. To view the playbook's payload, click **>** to the right of the playbook name. The alert payload appears.
+
+### Alert payload variables
+
+ The following variables are passed in the payload from an alert to a playbook.
+
+| Variable | Description |
+| :-- | :-- |
+|`​​Id`|The unique identifier for alert that triggered the playbook.|
+|`Name`|The name of the monitor.|
+|`Query`|The query used in the monitor.|
+|`QueryURL`|The URL to the logs or metrics query within Sumo Logic.|
+|`AlertName`|The name of the alert.|
+|`SourceURL`|The URL to the configuration or status page of the monitor in Sumo Logic.|
+|`AlertGroup`|The alert grouping that triggered the alert, including associated values for that field.|
+|`Description`|The description of the monitor.|
+|`MonitorType`|The type of alert, either `Logs` or `Metrics`.|
+|`ResultsJson`|JSON object containing the query results that triggered the alert.|
+|`TriggerTime`|The date and time the query triggered the alert.|
+|`TriggerType`|The status of the alert or recovery. Alert will have a status of `Normal`, `Critical`, `Warning`, or `Missing Data`. Recovery will have a status of `ResolvedCritical`, `ResolvedWarning`, or `ResolvedMissingData`.|
+|`TriggerValue`|The value that triggered the alert.|
+|`Notifications`|The details for the notifications configured in the monitor.|
+|`NumRawResults`|Number of results returned by the search.|
+|`DetectionMethod`|The type of detection method used to detect alerts. Values are based on static or outlier triggers and data type, either logs or metrics. The value will be `LogsStaticCondition`, `MetricsStaticCondition`, `LogsOutlierCondition`, `MetricsOutlierCondition`, `LogsMissingDataCondition`, or `MetricsMissingDataCondition`.|
+|`NumQueryResults`|The number of results the query returned.|
+|`SloDashboardURL`|The URL to the SLO dashboard.|
+|`TriggerQueryURL`|The URL to the log search for the query that triggered the alert.|
+|`AlertResponseURL`|The URL to the alert page for the corresponding alert ID.|
+|`TriggerCondition`|The condition that triggered the alert.|
+|`TriggerTimeRange`|The time range of the query that triggered the alert.|
+|`ResultsJsonParsed`|The parsed fields from `ResultsJson`.|
+|`AggregateResultsJson`|JSON object containing the query results that triggered the alert, along with aggregate values such as message count.|
+|`customPlaceholderMap`|The parsed fields from `ResultsJson` and the aggregate values returned from the query. The fields specific to the query that triggered the alert can be referenced by using `customPlaceholderMap`. For example, if the result of the query includes a field named `user_name`, this can be referenced by calling `customPlaceholderMap[].user_name`.|
+|`AggregateResultsJsonParsed`|The parsed fields from `AggregateResultsJson`.|
+
+### Alert payload example
+
+```json
+{
+ "Id": "00000000016CCCDD",
+ "Name": "Amazon Guard Duty Brute Force",
+ "Query": "_sourceCategory=Labs/AWS/GuardDuty_V3 | parse \"{\\\"key\\\":\\\"Owner\\\",\\\"value\\\":\\\"*\\\"}\" as owner_key | json field=_raw \"service.action.networkConnectionAction.remotePortDetails.portName\"as port_name | json field=_raw \"service.action.networkConnectionAction.remotePortDetails.port\" as port | json field=_raw \"service.action.networkConnectionAction.remoteIpDetails.ipAddressV4\" as ip_address | json field=_raw \"accountId\", \"region\", \"partition\", \"id\", \"arn\", \"type\",\"service.serviceName\",\"service.detectorId\",\"service.action\",\"severity\",\"title\",\"description\", \"vpcId\", \"subnetId\", \"groupId\" , \"tags\", \"groupName\", \"resource.instanceDetails.instanceId\" as account_id, region, partition, id, arn, type, service_name, detector_id, action, severity, title, description, vpcId, subnetId , securityGroupId, tags, securityGroupName, instanceid nodrop | where type matches \"*BruteForce*\" | count by instanceid, ip_address, port, port_name, owner_key",
+ "QueryURL": "https://live.us2.sumologic.com/ui/index.html#/search/1IzrB2mrW6L7egF1GY3zwnqJW663xPamyh9oe1AcFBanRckiRpXQiuPU2hOngFWnHO9bOLhpZ1GnssHTKtQpcLPBAOBp8wwW9VerT83Fj77k6hXQqMl5lI3tqsPv5bMG",
+ "AlertName": "Amazon GuardDuty Brute Force Finding",
+ "SourceURL": "https://live.us2.sumologic.com/ui/#/alerts/unified-monitors/00000000000007A0?selectedRows=0000000000593B6D",
+ "AlertGroup": "instanceid=i-F56tg45tty5gfgd45",
+ "Description": "",
+ "MonitorType": "Logs",
+ "ResultsJson": "[{\"Count\":1,\"instanceid\":\"i-F56tg45tty5gfgd45\",\"ip_address\":\"78.24.180.93\",\"owner_key\":\"security@lxechip.com\",\"port\":\"22\",\"port_name\":\"SSH\"}]",
+ "TriggerTime": "05/01/2024 02:08:46 PM CDT",
+ "TriggerType": "Critical",
+ "TriggerValue": 1,
+ "Notifications": [
+ {
+ "notification": {
+ "images": [],
+ "subject": "Monitor Alert: {{TriggerType}} on {{AlertName}}",
+ "actionId": -4194941809035894000,
+ "jsonClass": "EmailAction",
+ "ccRecipients": [],
+ "templateName": "Default Unified Monitor Email With Alert Response Variables",
+ "toRecipients": [
+ "example@sumologic.com"
+ ],
+ "bccRecipients": [],
+ "relatedContent": [],
+ "emailBodyMessage": ""
+ },
+ "runForTriggerTypes": [
+ "Critical"
+ ]
+ }
+ ],
+ "NumRawResults": "45",
+ "DetectionMethod": "LogsStaticCondition",
+ "NumQueryResults": "1",
+ "SloDashboardURL": "",
+ "TriggerQueryURL": "https://live.us2.sumologic.com/ui/index.html#/search/1IzrB2mrW6L7egF1GY3zwnqJW663xPamyh9oe1AcFBanRckiRpXQiuPU2hOngFWnHO9bOLhpZ1GnssHTKtQpcLPBAOBp8wwW9VerT83Fj77k6hXQqMl5lI3tqsPv5bMG",
+ "AlertResponseURL": "https://live.us2.sumologic.com/ui/#/alert/00000000016CCCDD",
+ "TriggerCondition": "ResultCount is Greater than 0.0 in the last 1440 minutes",
+ "TriggerTimeRange": "04/30/2024 02:06:46 PM CDT to 05/01/2024 02:06:46 PM CDT",
+ "ResultsJsonParsed": [
+ {
+ "port": "22",
+ "Count": 1,
+ "owner_key": "security@example.com",
+ "port_name": "SSH",
+ "instanceid": "i-F56tg45tty5gfgd45",
+ "ip_address": "78.24.180.93"
+ }
+ ],
+ "AggregateResultsJson": "[{\"Count\":1,\"instanceid\":\"i-F56tg45tty5gfgd45\",\"ip_address\":\"78.24.180.93\",\"owner_key\":\"security@lxechip.com\",\"port\":\"22\",\"port_name\":\"SSH\"}]",
+ "customPlaceholderMap": [
+ {
+ "port": "22",
+ "Count": "1",
+ "_count": "1",
+ "owner_key": "security@example.com",
+ "port_name": "SSH",
+ "instanceid": "i-F56tg45tty5gfgd45",
+ "ip_address": "78.24.180.93"
+ }
+ ],
+ "AggregateResultsJsonParsed": [
+ {
+ "port": "22",
+ "Count": 1,
+ "owner_key": "security@example.com",
+ "port_name": "SSH",
+ "instanceid": "i-F56tg45tty5gfgd45",
+ "ip_address": "78.24.180.93"
+ }
+ ]
+}
+```
+
+## Entity payload
+
+### View an entity payload
+
+1. Open an [entity](/docs/cse/records-signals-entities-insights/view-manage-entities/) that uses playbooks (that is, that has [automations](/docs/cse/automation/automations-in-cloud-siem)).
+1. Click the **Automations** button at the top of the entity details page to view the automations on the entity.
+1. Click **View Playbook** on an automation. The automation's playbook opens in the Automation Service.
+1. To view the playbook's payload, click **>** to the right of the playbook name. The entity payload appears.
+
+### Entity payload variables
+
+| Variable | Description |
+| :-- | :-- |
+| `​​Id` | The unique ID of the [entity](/docs/cse/records-signals-entities-insights/view-manage-entities) whose information is provided in the payload.|
+| ​`name` | The entity’s name. ​|
+| `tags`​ | [Tags](/docs/cse/records-signals-entities-insights/tags-insights-signals-entities-rules) attached to the entity.​ |
+| `value` | The value of the entity. |
+| `hostname` ​| The hostname of the entity (if the entity is an item that can have a hostname, such as a computer). ​|
+| `lastSeen` ​| When the entity was last seen in a record. ​|
+| `firstSeen` ​| When the entity was first seen in a record. ​|
+| `inventory` ​| The [inventory source](/docs/cse/administration/inventory-sources-and-data/) for the entity (if it originated in an inventory). ​|
+| `entityType` ​| The [type of entity](/docs/cse/records-signals-entities-insights/view-manage-entities/#about-entities). ​|
+| `macAddress` ​| The [medium access control (MAC) address](https://en.wikipedia.org/wiki/MAC_address) assigned to the entity (if the entity is a piece of hardware). ​|
+| `reputation` ​| The reputation score for the entity. ​|
+| `sensorZone` ​| [Sensor zone](/docs/cse/administration/using-sensor-zones/) for the entity. ​|
+| `criticality` | The [criticality](/docs/cse/records-signals-entities-insights/entity-criticality/) of the entity. |
+| `isSuppressed` | Whether the [entity is suppressed](/docs/cse/records-signals-entities-insights/about-signal-suppression/#suppress-by-entity). |
+| `activityScore` | The entity’s [activity score](/docs/cse/get-started-with-cloud-siem/insight-generation-process/#understanding-entity-activity-scores). |
+| `recentSignalSeverity` | The most recent [severity](/docs/cse/get-started-with-cloud-siem/insight-generation-process/#about-insight-severity) of the signal that the entity appeared on. |
+
+### Entity payload example
+
+```json
+{
+ "id": "_ip-198.51.100.0",
+ "name": "198.51.100.0",
+ "tags": [],
+ "value": "198.51.100.0",
+ "hostname": null,
+ "lastSeen": "2024-08-30T13:36:18",
+ "firstSeen": null,
+ "inventory": [],
+ "entityType": "_ip",
+ "macAddress": null,
+ "reputation": null,
+ "sensorZone": null,
+ "criticality": null,
+ "isSuppressed": false,
+ "activityScore": 12,
+ "recentSignalSeverity": 12
+}
+```
+
+## Insight payload
+
+### View an Insight payload
+
+1. Open an [Insight](/docs/cse/get-started-with-cloud-siem/about-cse-insight-ui/) that uses playbooks (that is, that has [automations](/docs/cse/automation/automations-in-cloud-siem)).
+1. Click the **Automations** button at the top of the Insight details page to view the automations on the Insight.
+1. Click **View Playbook** on an automation. The automation's playbook opens in the Automation Service.
+1. To view the playbook's payload, click **>** to the right of the playbook name. The Insight payload appears.
+
+### Insight payload variables
+
+| Variable | Description |
+| :-- | :-- |
+| `​​id` | The unique ID of the [Insight](/docs/cse/get-started-with-cloud-siem/about-cse-insight-ui/#insight-details-page) whose information is provided in the payload.
+| `name` | The name of the Insight. |
+| `tags` | [Tags](/docs/cse/records-signals-entities-insights/tags-insights-signals-entities-rules) attached to the Insight. |
+| `orgId` | The ID of the Sumo Logic organization where the Insight originated. |
+| `closed` | Whether the Insight is closed. |
+| `entity` | The [entity](/docs/cse/records-signals-entities-insights/view-manage-entities) the Insight fired on. |
+| `source` | The source of the Insight data. |
+| `status` | The current status of the Insight. |
+| `created` | When the Insight was created. |
+| `signals` | The Signals in the Insight. |
+| `assignee` | The analyst assigned to the incident. |
+| `closedBy` | The analyst who closed the Insight (if it’s status is closed). |
+| `severity` | The [severity](/docs/cse/get-started-with-cloud-siem/insight-generation-process/#about-insight-severity) of the Insight. |
+| `timestamp` | The timestamp when the Insight fired. |
+| `assignedTo` | The analyst assigned to the incident. |
+| `confidence` | If sufficient data is available, a [Global Confidence score](/docs/cse/records-signals-entities-insights/global-intelligence-security-insights/) for the Insight is shown. |
+| `readableId` | The human-readable ID of the Insight. |
+| `resolution` | The [resolution](/docs/cse/administration/manage-custom-insight-resolutions/) of the Insight (if the Insight is resolved). |
+| `description` | A description of the Insight. |
+| `lastUpdated` | When the Insight was last updated. |
+| `lastUpdatedBy` | The analyst who last updated the Insight. |
+| `subResolution` | The [sub-resolution](/docs/cse/administration/manage-custom-insight-resolutions/) of the Insight (if the Insight is resolved and if a sub-resolution is applied). |
+| `teamAssignedto` | The team the Insight is assigned to. |
+| `timeToResponse` | The time it took to respond to the Insight. |
+| `timeToDetection` | The time it took to detect the Insight. |
+| `involvedEntities` | The entities involved in the Insight. |
+| `timeToRemediation` | The time it took to resolve the Insight. |
+
+### Insight payload example
+
+```json
+{
+ "id": "8e965194-f2da-36e0-839d-c2bacffca684",
+ "name": "Unspecified Malicious Activity",
+ "tags": [
+ "custom-tag",
+ "dataComponent:File",
+ "foo",
+ "MITRE_Expansion_C2",
+ "testtag"
+ ],
+ "orgId": "0000000006ACDE44",
+ "closed": null,
+ "entity": {
+ "id": "_ip-192.0.2.0",
+ "name": "192.0.2.0",
+ "value": "192.0.2.0",
+ "hostname": null,
+ "entityType": "_ip",
+ "macAddress": null,
+ "sensorZone": ""
+ },
+ "source": "ALGORITHM",
+ "status": {
+ "name": "new",
+ "displayName": "New"
+ },
+ "created": "2024-09-05T20:25:59.673356",
+ "signals": [
+ {
+ "id": "d02c5f27-5925-54a0-b0dd-0fee9ee2de2d",
+ "name": "CrowdStrike Aggregation Rule test signal",
+ "tags": [],
+ "stage": "Unknown/Other",
+ "entity": {
+ "id": "_ip-192.0.2.0",
+ "name": "192.0.2.0",
+ "value": "192.0.2.0",
+ "hostname": null,
+ "entityType": "_ip",
+ "macAddress": null,
+ "sensorZone": ""
+ },
+ "ruleId": "AGGREGATION-U07128",
+ "created": "2024-09-05T20:20:51.904000",
+ "severity": 4,
+ "artifacts": [],
+ "timestamp": "2024-09-05T20:20:51.904000",
+ "contentType": "RULE",
+ "description": "test description",
+ "recordCount": 1,
+ "recordTypes": [],
+ "recordSearchDetails": {
+ "query": "_index=sec_record_* | where (if (isNull(metadata_vendor), true, metadata_vendor != \"CrowdStrike\") and if (isNull(objectType), true, objectType != \"email\") and if (isNull(srcDevice_ip), false, srcDevice_ip == \"192.0.2.0\"))",
+ "queryEndTime": "2024-09-05T20:24:00",
+ "queryStartTime": "2024-09-05T19:24:00"
+ }
+ },
+ {
+ "id": "34b173fe-792b-55b0-8723-808ded9547ce",
+ "name": "Exclude CrowdStrike and Email Chain Rule",
+ "tags": [
+ "custom-tag",
+ "foo",
+ "testtag"
+ ],
+ "stage": "Unknown/Other",
+ "entity": {
+ "id": "_ip-192.0.2.0",
+ "name": "192.0.2.0",
+ "value": "192.0.2.0",
+ "hostname": null,
+ "entityType": "_ip",
+ "macAddress": null,
+ "sensorZone": ""
+ },
+ "ruleId": "CHAIN-U07162",
+ "created": "2024-09-05T20:20:51.904000",
+ "severity": 4,
+ "artifacts": [],
+ "timestamp": "2024-09-05T20:20:51.904000",
+ "contentType": "RULE",
+ "description": "chain rule test description",
+ "recordCount": 1,
+ "recordTypes": [],
+ "recordSearchDetails": {
+ "query": "_index=sec_record_* | where ((if (isNull(metadata_vendor), true, metadata_vendor != \"CrowdStrike\") or if (isNull(objectType), true, objectType != \"email\")) and if (isNull(srcDevice_ip), false, srcDevice_ip == \"192.0.2.0\"))",
+ "queryEndTime": "2024-09-05T20:24:00",
+ "queryStartTime": "2024-09-05T19:24:00"
+ }
+ },
+ {
+ "id": "f7ee1ba7-fb69-51e3-8cbe-a7673e237dfe",
+ "name": "CrowdStrike First Seen Rule test signal",
+ "tags": [
+ "testtag",
+ "foo",
+ "custom-tag"
+ ],
+ "stage": "Unknown/Other",
+ "entity": {
+ "id": "_ip-192.0.2.0",
+ "name": "192.0.2.0",
+ "value": "192.0.2.0",
+ "hostname": null,
+ "entityType": "_ip",
+ "macAddress": null,
+ "sensorZone": ""
+ },
+ "ruleId": "FIRST-U00161",
+ "created": "2024-09-05T20:20:51.904000",
+ "severity": 4,
+ "artifacts": [],
+ "timestamp": "2024-09-05T20:20:51.904000",
+ "contentType": "ANOMALY",
+ "description": "test description",
+ "recordCount": 1,
+ "recordTypes": [],
+ "recordSearchDetails": null
+ },
+ {
+ "id": "5f0db81c-c11a-5b13-b2e0-8a25de6ba376",
+ "name": "Exclude CrowdStrike and Email Threshold Rule test",
+ "tags": [
+ "MITRE_Expansion_C2",
+ "testtag",
+ "dataComponent:File"
+ ],
+ "stage": "Unknown/Other",
+ "entity": {
+ "id": "_ip-192.0.2.0",
+ "name": "192.0.2.0",
+ "value": "192.0.2.0",
+ "hostname": null,
+ "entityType": "_ip",
+ "macAddress": null,
+ "sensorZone": ""
+ },
+ "ruleId": "THRESHOLD-U07169",
+ "created": "2024-09-05T20:25:51.043000",
+ "severity": 4,
+ "artifacts": [],
+ "timestamp": "2024-09-05T20:25:51.043000",
+ "contentType": "RULE",
+ "description": "Test Threshold rule",
+ "recordCount": 1,
+ "recordTypes": [],
+ "recordSearchDetails": {
+ "query": "_index=sec_record_* | where (if (isNull(metadata_vendor), true, metadata_vendor != \"CrowdStrike\") and if (isNull(objectType), true, objectType != \"email\") and if (isNull(srcDevice_ip), false, srcDevice_ip == \"192.0.2.0\"))",
+ "queryEndTime": "2024-09-05T21:36:00",
+ "queryStartTime": "2024-09-05T09:36:00"
+ }
+ }
+ ],
+ "assignee": null,
+ "closedBy": null,
+ "severity": "HIGH",
+ "timestamp": "2024-09-05T20:25:51.043000",
+ "assignedTo": null,
+ "confidence": null,
+ "readableId": "INSIGHT-637",
+ "resolution": null,
+ "description": "Unknown/Other",
+ "lastUpdated": "2024-09-05T20:25:59.673351",
+ "lastUpdatedBy": null,
+ "subResolution": null,
+ "teamAssignedTo": null,
+ "timeToResponse": null,
+ "timeToDetection": 307.769356,
+ "involvedEntities": [
+ {
+ "id": "_ip-192.0.2.0",
+ "name": "192.0.2.0",
+ "value": "192.0.2.0",
+ "hostname": null,
+ "entityType": "_ip",
+ "macAddress": null,
+ "sensorZone": null
+ },
+ {
+ "id": "_username-pete@tclab.us",
+ "name": "pete@tclab.us",
+ "value": "pete@tclab.us",
+ "hostname": null,
+ "entityType": "_username",
+ "macAddress": null,
+ "sensorZone": null
+ },
+ {
+ "id": "_username-key--d2b90316--a1d3--492d--beb5--308184ab4973 (Sumo Logic API client (read only))",
+ "name": "key-d2b90316-a1d3-492d-beb5-308184ab4973 (Sumo Logic API client (read only))",
+ "value": "key-d2b90316-a1d3-492d-beb5-308184ab4973 (Sumo Logic API client (read only))",
+ "hostname": null,
+ "entityType": "_username",
+ "macAddress": null,
+ "sensorZone": null
+ }
+ ],
+ "timeToRemediation": null
+}
+```
diff --git a/docs/platform-services/automation-service/playbooks/troubleshoot-playbooks.md b/docs/platform-services/automation-service/playbooks/troubleshoot-playbooks.md
new file mode 100644
index 0000000000..ede8332a17
--- /dev/null
+++ b/docs/platform-services/automation-service/playbooks/troubleshoot-playbooks.md
@@ -0,0 +1,107 @@
+---
+id: troubleshoot-playbooks
+title: Troubleshoot Playbooks
+sidebar_label: Troubleshoot Playbooks
+description: Learn how to test playbooks and troubleshoot playbook problems.
+---
+
+import useBaseUrl from '@docusaurus/useBaseUrl';
+
+You can run playbooks in automations for [monitors](/docs/alerts/monitors/use-playbooks-with-monitors/), [Cloud SIEM](/docs/cse/automation/automations-in-cloud-siem/), or [Cloud SOAR](/docs/cloud-soar/automation/). If a playbook has a problem when it runs in an automation, an error message often displays in the playbook providing information about the problem.
+
+:::tip
+To test a playbook before using it in an automation, see [Test a playbook](/docs/platform-services/automation-service/playbooks/troubleshoot-playbooks/#test-a-playbook).
+:::
+
+## Test nodes in a playbook
+
+The playbook **Test Node** toggle lets you test individual nodes of a playbook without needing to complete the entire flow. Testing individual nodes helps you improve your playbooks' reliability and shorten configuration time. You can provide mock values for variables used in the node, and run the results to see the output and any errors. The results provide informative messages to help you troubleshoot problems.
+
+When you test nodes, keep in mind:
+* You can test action, condition, user choice, and task nodes. You cannot test filter or nested playbook nodes.
+* A single-node test does not execute downstream nodes. Only the selected node runs using the provided input. You cannot view the previous or past test node run executions.
+* Invalid JSON or missing required fields will block the test and show an error in the **Output** panel.
+* Before you can test a node, any node configuration changes need to be saved to the playbook draft. When you test a node, clicking **SAVE & RUN TEST** saves the node configuration to the same draft before executing.
+* Testing nodes counts against your [action limit](/docs/platform-services/automation-service/about-automation-service/#actions-limit) quota.
+
+To test a node:
+1. Select a playbook.
+1. Click the **Edit** button at the bottom of the screen to make a draft of the playbook.
+1. Click the **Edit** button on a node.
+1. Click the **Test Node** toggle at the top of the **Edit Node** dialog. An **Input** panel appears to the left, and an **Output** panel appears to the right.
+1. In the **Input** panel, enter variables to test the node. When you click **SAVE & RUN TEST**, results of the test appear in the **Output** panel.Ensure that you enter valid variables for the kind of inputs you need to test. Following are examples with different node types: + * **Action**
In the following example that uses input from insights, we provide an insight ID. The output shows the result of the action.
+ * **Condition**In the following example that uses input from reputation vendors, we provide reputation scores. The output shows the result of the condition.
+ * **User choice**In the following example that uses user input data, we provide an email address. The output provides the resulting user choice. Click the user choice options to test whether they work as expected.
+ * **Task**In the following example that uses incident input data, we provide a mock template name. The output provides the resulting task. Click the task options to test whether they work as expected.
+1. Examine the results in the **Output** panel and take any action needed to troubleshoot node operation:
+ * Click the information button to see information on the test run:
+ * Click the **JSON details** button to see the JSON output:
+1. Continue testing the node and making changes as needed in the node's configuration. When done, click **Save**.
+1. Test each node in your playbook that has the **Test Node** button (action, condition, user choice, and task). In each node, enter variables in the **Input** panel and examine the results in the **Output** panel to ensure the node works correctly.
+
+After you're done testing individual nodes, test the entire playbook to ensure it runs end-to-end (see [Test a playbook](#test-a-playbook)).
+
+## Test a playbook
+
+You can test a playbook to verify that it works properly. The test results show the outcome as if the playbook actually ran.
+
+1. Select a playbook.
+1. Click the kebab button in the upper-right corner of the UI.
+1. Select **Run Test**.
+1. In the **Test playbook** dialog, enter the requested information and click **Run**.
+1. The results of the test are displayed in a new window labeled with the playbook name and **(RUN TEST)**.
+1. Click the clock icon in the upper-right corner to see the testing history. Select **Latest actions** to see test results for all the actions on the playbook, or select items on the list to see results for individual actions.
+
+## Open playbooks that require investigation
+
+### Open a playbook from an alert
+
+1. Access the [alert list](/docs/alerts/monitors/alert-response/#alert-list).
+1. Open an alert that uses a playbook.
+1. On the alert details page, click the **Playbooks** button to see [automated playbooks](/docs/alerts/monitors/use-playbooks-with-monitors/#view-automated-playbooks-for-an-alert) attached to the alert.
+1. Hover your mouse over the icon to the right of the playbook to see its status. In the example above, the playbook completed with errors.
+1. To investigate the problem, click the playbook name. The playbook opens in the Automation Service and any issues display in the results section.
+
+Proceed to [Investigate playbook problems](#investigate-playbook-problems) below to look into playbook problems.
+
+### Open a playbook from Cloud SIEM
+
+1. Open an [Insight](/docs/cse/get-started-with-cloud-siem/about-cse-insight-ui/) or [Entity](/docs/cse/records-signals-entities-insights/view-manage-entities/) that uses playbooks (that is, that has [automations](/docs/cse/automation/automations-in-cloud-siem)).
+1. Click the **Automations** button at the top of the page to view the automations on the Insight or Entity.
+1. Click **View Playbook** for a playbook you want to investigate. In the example above, the playbook we want to investigate completed with errors. The playbook opens in the Automation Service, and the issues display in the results section.
+
+Proceed to [Investigate playbook problems](#investigate-playbook-problems) below to look into playbook problems.
+
+### Open a playbook from Cloud SOAR
+
+1. Open an [Incident](/docs/cloud-soar/incidents-triage/#incidents).
+1. On the [incident details](/docs/cloud-soar/incidents-triage/#incident-details) page, select **Operations > Playbooks**. Playbooks appear that have run for the incident.
+1. Click **Graph View** in the upper-right and click **>** to page through the playbooks.
+1. Click a node on the playbook that displays an error.
+
+Proceed to [Investigate playbook problems](#investigate-playbook-problems) below to look into playbook problems.
+
+## Investigate playbook problems
+
+After you have [opened a playbook that requires investigation](/docs/platform-services/automation-service/playbooks/troubleshoot-playbooks/#open-playbooks-that-require-investigation), follow the steps below to investigate problems with the playbook.
+
+1. The **Filtered Results** section shows the status of actions that ran on the playbook. The example below shows two failed actions that require investigation.
+1. Click an action for an explanation of the problem.
+1. For more detailed information about the action, click the **Graph View** in the upper right and then click on the action. A pane opens that displays more information about the action.
+1. Sometimes the playbook's payload will provide more information about why an action has a problem. To view the playbook's payload, click **>** to the right of the playbook name.
+1. Examine the [playbook payload](/docs/platform-services/automation-service/playbooks/playbook-payloads/) for information that might help you resolve the problem. For example, the payload may be able to tell you if a field has not been properly passed from a previous action, or a field was unintentionally left blank that the action requires.
+1. Based on what you uncover during investigation, you may need to make changes to the playbook and then [test the playbook](#test-a-playbook) to ensure it works correctly.
+
+## Common playbook problems
+
+Following are some common problems that can occur with playbooks:
+* **No response from the bridge**The [automation bridge](/docs/platform-services/automation-service/automation-service-bridge/) is offline, or the bridge does not have the egress firewall settings to handle the outbound request. +* **API rate limiting issues**
The vendor has capped the number of requests that can be made to their API in a certain time frame. +* **HTTPS connection pool issues**
There are no available connections at the vendor, usually indicative of a vendor API health issue. +* **A required field is empty that the action is looking for**
A field has not been properly passed from a previous action, or a field was unintentionally left blank that the action requires. +* **Permission denied**
The API key is incorrect on the [integration resource](/docs/platform-services/automation-service/about-automation-service/#configure-the-connection-for-an-integration-resource), or the account running the playbook has invalid credentials or insufficient permissions. +* **You have exceeded the actions limit**
The number of actions that your organization can run per hour is limited to a certain threshold. Any actions that are launched beyond this [actions limit](/docs/platform-services/automation-service/about-automation-service/#actions-limit) will not run. You might exceed the limit if: + * There are alert surges.
+ * The playbook is not optimized properly and actions are stuck in a loop. + * There are Cartesian flag issues (too many nested elements to process as part of the returned API result). diff --git a/docs/reuse/cartesian-product.md b/docs/reuse/cartesian-product.md index 420dd34270..817f7d3106 100644 --- a/docs/reuse/cartesian-product.md +++ b/docs/reuse/cartesian-product.md @@ -1 +1 @@ -Use the **Cartesian product** checkbox with caution. In most cases, you should deselect this checkbox. For more information, see [Cartesian product](/docs/platform-services/automation-service/automation-service-playbooks/#cartesian-product). \ No newline at end of file +Use the **Cartesian product** checkbox with caution. In most cases, you should deselect this checkbox. For more information, see [Cartesian product](/docs/platform-services/automation-service/playbooks/arrays-in-playbooks/#cartesian-product). \ No newline at end of file diff --git a/sidebars.ts b/sidebars.ts index 881b2b0e32..5b5d1ad240 100644 --- a/sidebars.ts +++ b/sidebars.ts @@ -3227,7 +3227,19 @@ integrations: [ } ], }, - 'platform-services/automation-service/automation-service-playbooks', + { + type: 'category', + label: 'Playbooks', + collapsible: true, + collapsed: true, + link: {type: 'doc', id: 'platform-services/automation-service/playbooks/index'}, + items: [ + 'platform-services/automation-service/playbooks/create-playbooks', + 'platform-services/automation-service/playbooks/playbook-payloads', + 'platform-services/automation-service/playbooks/arrays-in-playbooks', + 'platform-services/automation-service/playbooks/troubleshoot-playbooks', + ], + }, 'platform-services/automation-service/automation-service-integrations', 'platform-services/automation-service/automation-service-audit-logging', 'platform-services/automation-service/automation-service-bridge',