Security Orchestration (SOAR)

Playbooks

SIEM playbooks are used to automate and standardize responses to security-related events. They define repeatable processes that can be used to efficiently evaluate, prioritize, and handle alerts. Playbooks help you to handle incidents consistently in accordance with defined guidelines. The automation options enable you to increase both your response speed and the quality of your responses.

You can access the overview via SIEM – Security Orchestration (SOAR) – Playbooks.

Here you will find an overview of all created playbooks. To delete one or more entries, click the checkbox next to an entry to select it. Then click the “Delete” button at the top right of the screen.

Add Playbooks

To create a new playbook, click on “+Add playbook” in the upper right corner. This will take you to the start screen of the Playbook Builder.

Assign a name and a short description right away so you can quickly identify your playbook later.
Create your playbook by following the steps described in the following section.
Finally, save your playbook. To do this, click on the “Add Playbook” button.

Entry point

The starting point of a playbook is a triggered workflow, i.e., a specific event. You can find out how to create a workflow here.

To select a starting point for your playbook, click on the “Select Trigger” button. The following window will now open:

Workflow

Select the Workflow option from the start object.
Under Workflow, enter the name of the workflow you have selected or click in the field to select the appropriate entry from the drop-down list.

To change an already defined starting point, click on the edit icon next to the field and proceed as described above.

Context

Context defines the framework for the rest of the playbook. Here you can specify primary and secondary fields. These are used to define relevant fields for further processing within the playbook.

Drag and drop a context node onto the editing area.
Link this to the starting point. To do this, move your mouse over the pulsating dot at the top of the context node. The cursor will then change to a cross. Now drag the cursor to the starting point while holding it down. If you connect it to the right point of the starting point, you define the procedure for a successful workflow. If you connect it to the left point, you define the procedure in the event of a failed workflow.
Select the edit icon that appears next to the context node when you hover over it with the cursor. The following window will open:
Now click on the “+Add variable” button.
Field Name Enter a field under “Field name” or click on the field to select the appropriate entry from the drop-down list.
Variable Name Assign a unique variable name.
Now define whether the field should be created as a primary or secondary field.
1. Primary Variable Primary Variable are used to summarize logs with the same values in these fields. This minimizes the amount of data and prepares the relevant data for targeted further processing.
2. Secondary Variable Secondary Variables are NOT used to summarize the logs. They are merely appended to the primary fields as additional information.
After successfully defining your variable, add it to your context node by clicking “Apply.”
Repeat steps 4-8 until all fields relevant to you have been filled in.
Complete the definition of your context by clicking “Apply.”

To change an already defined context, click on the edit icon next to the field and proceed as described above. You also have the option to copy or delete the context node.

After grouping by the context node, you can then define how each data grouping can be further processed.

Data Manipulation - Filter

Use the Filter Node if you want to further reduce the collected data to relevant values. Add as many conditions as you like and create targeted data aggregation.

Drag and drop a filter node onto the editing area.
Link these with a Data Manipulation or Actions Node.
Select the edit icon that appears next to the filter node when you hover over it with the cursor. The following window will open:
Add a condition to your filter by clicking on “+Requirement.”
Context variable Under Context Variable, select one of the variables previously defined in the Context Node.
Operator Then select one of the following options under “Operator”:
1. Equal All data corresponding to the value defined below will be taken into account.
2. Unequal All data that does not correspond to the value defined below will be taken into account.
3. Regular Expression All data that matches the specified search pattern (RegEx) is taken into account. This allows complex patterns and substrings to be matched, e.g., multiple spellings or text fragments.
Requirements Add one or more conditions to your filter by clicking on “+Condition.” You can combine conditions using ‘And’ or “Or”:
1. And All data must meet the relevant conditions in order to be retained.
2. Or The data must meet at least one of the conditions in order to be retained.
Sub Requirements By clicking on “+Sub Requirement,” conditions can be expanded with additional subconditions. Proceed as described in steps 5-7.
Complete the configuration of your filter by clicking on “Apply.”

Data Manipulation - Decision

Use the Decision Node if you want to control different paths in the process based on conditions. Define If and If-Else branches and secure the process with an Else fallback.

Drag and drop a Decision Node onto the editing area.
Link these to an existing node.
Select the edit icon that appears next to the decision node when you hover over it with the cursor. The following window will open:
Create new rules by clicking on “+Add Decision”.
Assign a unique name to your condition.
Context Variable Under Context Variable, select one of the variables previously defined in the Context Node.
Operator Then select one of the following options under “Operator”:
1. Equal All data corresponding to the value defined below will be taken into account.
2. Unequal All data that does not correspond to the value defined below will be taken into account.
3. Regular Expression All data that matches the specified search pattern (RegEx) is taken into account. This allows complex patterns and substrings to be matched, e.g., multiple spellings or text fragments.
Requirement Add one or more conditions to your decision by clicking on “+Requirement.” You can combine conditions with ‘And’ or “Or”:
1. And All data must meet the relevant conditions in order to be retained.
2. Or The data must meet at least one of the conditions in order to be retained.
Sub Requirement By clicking on “+Sub Requirement,” conditions can be expanded with additional subconditions. Proceed as described in steps 5-7.

11. Complete the configuration of your filter by clicking on “Apply.”

Actions - Action

Use the Action Node to automatically perform a defined action when certain conditions are met, such as sending a webhook or a notification.

Drag and drop an action node onto the editing area.
Link these to an existing node.
Select the edit icon that appears next to the action node when you hover over it with the cursor. The following window will open:
Select the desired action (e.g., webhook) in the upper section.
Under “Method,” you specify which HTTP method is used. The following options are available: Get Retrieves data from the specified URL. Post Sends data to the URL (e.g., to create new resources). Put Completely overwrites existing data at the URL. Patch Partially updates existing data. Delete Deletes data at the specified URL.
Under “Base URL,” enter the address of the destination to which the action should be performed or the data sent.
Use “+Add HTTP header” to define a new HTTP header. These allow you to pass important additional information to the recipient of your request. Create as many headers as you like by clicking on the button.
Enter the name of your header under “Name” and its content under “Value.”
Under “Request body,” you can now enter the content of the request. Using drag and drop, you can integrate the placeholders from the Body variables area into your text.
Save your configuration by clicking on “Apply.”

Actions - LLM

Drag and drop an LLM node onto the editing area.
Link these to an existing node.
Select the edit icon that appears next to the LLM node when you hover over it with the cursor. The following window will open:
Under “LLM Provider,” select one of the providers previously added under Security Orchestration (SOAR) – LLM Provider. You can find out how to create an LLM provider here.
Select the action to be performed by the LLM below. The following options are available:
1. Summary Use this category to automatically summarize log data in a context-sensitive manner. All relevant information is provided to the LLM in the background.
2. Decision Select this category if you want the LLM to make a decision based on defined specifications. You can specify the possible options yourself in the lower section.
3. Custom This category allows you to freely formulate your own questions or problems and have them answered by the LLM.

Then follow the instructions for the selected procedure:

Summary

Under “Additional Prompt,” you have the option to further customize your summary. To do so, provide your LLM with additional instructions.
Activating “Show chain-of-thought” allows you to follow the steps and decision-making processes of the LLM.
Enable “Enable tool calling” to allow your LLM to use external references (web search, databases, etc.).

Decision

Provide your LLM with additional input under “additional prompt.”
Activating “Show chain-of-thought” allows you to follow the steps and decision-making processes of the LLM.
Enable “Enable tool calling” to allow your LLM to use external references (web search, databases, etc.).
Create as many decisions as you like by clicking on “+Add Decision.” Under “Decisions,” use the LLM to define applicable consequences based on decision criteria.
Under “Label,” assign a clear name to the decision path.
Under “Decision criterion,” enter a prompt based on which the LLM makes decisions.
Under “Advanced settings,” enter a “timeout” after which the default action will be triggered automatically.
Complete the configuration of your decision by clicking on “Apply.”

Benutzerdefiniert

Verfassen Sie unter „Prompt“ mögliche Fragen oder Problemstellungen, welche anhand der eingehenden Daten von Ihrem LLM beantwortet werden können.
Das Aktivieren von „Gedankengang anzeigen“ ermöglicht es Ihnen die Schritte und Entscheidungswege des LLM nachzuvollziehen.
Aktivieren Sie „Tool-Aufrufe aktivieren“, um Ihrem LLM die Nutzung externer Referenzen (Websuche, Datenbanken, usw.) zu ermöglichen.

Actions - Notifications

Drag and drop an action node onto the editing area.
Link these to an existing node.
Select the edit icon that appears next to the action node when you hover over it with the cursor. The following window will open:
Enter a short, concise text in the “Subject” field, which will appear in the subject line of the email.
Write the content of your notification under “Body.” By calling up the “Minimal Template,” you can add a table with the available variables and their values to the body of your email. You can also use the placeholders under “Body Variables” from the field to the right of ‘Subject’ and “Body.” Integrate these into your email using drag and drop. Clicking on “Preview” allows you to preview the body.
Under “Interaction,” click “+Add interaction.” Here you can create interactive elements.
Under “Interactions,” you can add interactive elements. Click on “+ Add Interaction” to create a new interaction. Each interaction allows you to respond to the notification with predefined actions.
The “Default Action” field contains the action that is automatically performed if no user interaction occurs within the time specified under “Time to interact” (in seconds).
In the Actions section, you can define the possible user actions. Click on “+ Add Interaction” to add buttons that the recipient can use to respond to the notification.
1. Label: Button label (e.g., Confirm, Reject).
2. Type: Determine the type of button (Primary, Primary Outlined, or Regular).
Finally, specify one or more “notification channels.” Under “Message recipients,” add contacts who should be informed accordingly.
Save your configuration by clicking on “Apply.”

Flows

The Flows view provides an overview of all triggered playbooks. It is used to track and analyze automations that have already been executed within the system. Each item in the list represents a single execution of a playbook. In addition, you will find information about the duration and the underlying playbook for each entry.

You can access the view via SIEM – SOAR – Flows.

Detailed view

Click on a flow to get more detailed information about it. Here you can see the sequence of the underlying playbook.

In the upper right corner, you will find the action executed automatically by the playbook.

You can see this in detail in the “Timeline of events.” Here you will find all the details about the stream defined as the starting point:

In the detailed view, you can analyze the process retrospectively, identify potential sources of error, or check the status of individual steps. This makes it easier to track complex automations and helps optimize future playbook executions.

LLM Provider

Create an existing large language model (LLM) here. This allows you to integrate your own language models or external LLM resources into the platform and make optimal use of them.

Once created, the LLM can be used in various areas, such as in playbooks, to analyze texts, make decisions, or automatically summarize content.

You can access the view via SIEM – Security Orchestration (SOAR) – LLM Provider.

For each entry, you can see which provider is linked to which model and what usage limit has been set. In the right-hand column, you can also see which provider is defined as the default.

Add LLM Providers

LLM Provider hinzufügen

Click on “+Add LLM” to create a new LLM.

Name Assign a unique name under which the provider will be displayed in the overview.
Description Optional: Add a brief description to explain the purpose or intended use of the provider.
Enabled Specify whether the provider is active. Only activated providers are available for LLM queries.
Standard LLM Provider Enable this option if you want this provider to be used automatically as the default model, provided that no other provider is defined in playbooks.
Provider Select the LLM provider (e.g., ChatGPT, Azure OpenAI, Anthropic, etc.).
Model Specify the desired model of the selected provider (e.g., gpt-4-turbo).
Key Enter the API key required to access the model. This is used for authentication with the provider.
Parallel Prompts Define how many simultaneous requests the system is allowed to send to the provider. This helps to control performance and resource usage.
Before each integration, check the current pricing structures of the models used. Particularly extensive reasoning models can quickly incur high costs in long contexts and with many tokens. Plan and monitor your budget regularly.
Usage Limits In this section, you can set limits for tokens, requests, or compute time. This allows you to keep track of your LLM's resource consumption and costs.
1. Click “+ Add Limit” to add a new usage limit.
2. Then define the following parameters:
  1. Type Specify which aspect the limit refers to. Possible options are tokens, requests, or computing time.
  2. Threshold Enter the maximum permitted consumption (number of tokens).
  3. Time horizon Specify the period to which the limit applies (e.g., Days, Weeks, or Months).
  4. Interval Specify the interval at which the limit should be automatically reset (e.g., every 1 month).
The overview also shows:
1. Last Reset Time of the last reset.
2. Utilization Current consumption in relation to the specified limit.
3. Usage Limit Displays the currently valid limit value and the defined limit.
Save Complete the setup by clicking on “Add LLM Provider.” The new provider will then appear in the overview of all LLM providers.

PreviousAdvanced Settings NextTracer

Last updated 2 days ago

Was this helpful?