Document toolboxDocument toolbox

How to build a sample playbook

Owned by Juan Tomás Alonso Nieto (Deactivated)
Last updated: Aug 09, 2024
7 min read
[ 1 Introduction ] [ 2 Create a connection ] [ 3 Create an Event type ] [ 4 Create a playbook ] [ 5 Create streams ] [ 6 Create a Case ]

Introduction

Let’s look at an example of how to build your own playbook.

As we already know, playbooks are one of the key features of Devo SOAR, which allow you to automate the process of identifying undesirable events and responding to them. In this demo, we'll identify non-users who tried to change passwords and create a case for each of those events.

First, let’s begin with creating a connection to SIEM. Why do you need a connection? See the connection section under Building blocks of Devo SOAR.

Create a connection

To create a connection:

image-20240808-121001.png

You’ve successfully created a connection now. The next step is to create an event type.

Create an Event type

To create an event type:

image-20240808-121331.png

You’ve successfully created an event type.

At any point in time, if you want to view the event type that you created, navigate to the Event Types page from My Library to view the list of event types and search for the one that you created.

Once you've created a Connection and an event type, let’s now get into the real intent to achieve the goal, which is finding the wrong logins through the Playbook.

Create a playbook

The first step in creating a Playbook is to ingest sample events to build your logic on and test. We've already created an event type that connects to Sumologic to bring in 'change password' events from Gsuite.

After you choose the event type, rename the node to G Suite Change Password Events and rename the playbook as you wish.

 

Renaming the nodes helps you and other team members to identify and understand what a particular node does. You can also choose to describe the node. For more information about Playbook editing, see Edit a Playbook.

After you run the node, you may find that there is no data. this is because the Sumo Logic instance has no record of events that occurred during the time you selected for the sample data. We recommend changing the time period in the title bar, on the top-right corner of the page.

Create a playbook to find wrong events

To identify wrong password change events, we have to know more about the actor's IP address. We need to identify where the information about the IP address is. You can analyze the data in various ways. To know more about data in Playbooks, see Work with Steps and Results Panel.

  • Explore table JSON views by clicking on the view switcher at the top-right corner of the data pane.

  • Find and take note of the field called ipAddress inside audit_log.

 

 

 

Our goal was to identify non-users who are trying to change passwords. One way to do that is to check if their IP addresses are blacklisted by a threat intelligence organization. Here, we'll use a service called SANS BlackList Integration.

  • Hover on the node G Suite Change Password Events and click the + button on the node.

  • On the right pane, search for SANS and click on SANS Blacklist - IP Lookup from the list.

To connect to some Integrations in Devo SOAR, you need to authenticate. In this case, we have already made a connection for you. Then, you have to send the IP to SANS Blacklist integration and get back blacklist information.

  • Enter the Connection name for SANS Blacklist integration in the right pane and click Next. The parent node will be G Suite Change Password Events by default.

  • Enter the IP column name as $.audit_log.ipAddress.

Expand the Output section on the right pane and look for sans_matches. If sans_matches > 0, it means that the corresponding IP is blacklisted, so we need to filter only those out.

  • Hover over the node SANS Blacklist - IP Lookup and click on the + button.

  • Search for filter and click Filter in the results.

With this node, we can filter out only the bad events that we need to take action on. So we need to filter events with sans_matches > 0.

Enter the value as $.result.sans_matches operator as > and value as 0 in the right pane and click Run.

Now that we have the actual bad events for the time period we have chosen, we need to convert them into cases in Devo SOAR so that you can track them to take action on them.

  • Hover on the node: filter and click on + on the node.

  • Search for create case and click Case Management - Create Case in the results.

Here, we have to create a case for each identified bad event. Enter the following information in the right pane and click Run.

  • Connection: System Integration Connection

  • Case Type Template: Default
    Optional Fields

  • Case Title Template: Gsuite Password Changed by Blacklisted IP_102

  • Case Description Template: A GSuite account’s password was changed by someone from a blacklisted IP

  • Case Reporter: [your name]

  • Case Priority: High

 

Create streams

Until now, we created a blueprint of logic to identify the bad change password events in Gsuite and convert those into a case. Now we will run this Playbook periodically to create cases automatically as bad events happen. We will schedule a Stream to do so.

Click Create Stream on the top-right corner.

Before you schedule a Stream, you need to define the output of the Playbook. In this case, the node: create case is the output.

Choose the create case from the drop-down and click Save.

Streams run on events that happened in a time period called batch length. Unless you specify otherwise, the interval between two batch-runs will also be the batch length.

Enter the following information and click Save. (When you create your own Stream, you can choose any name)

Once you have scheduled a stream, you can go to the Streams page to look at the logs of each batch that ran.

  1. Click Streams page or go to My Library > Streams.

  2. Click on the stream: Gsuite_Password_Events_102.

  1. Click on the latest successful batch.

Create a Case

In this page, you can see that there is one row corresponding to one case that was generated for one bad event that happened in the last 15 minutes.

  1. Go to Case Management > Cases from the left navigation bar.

  1. Click on the case: 'Gsuite Password Changed by Blacklisted IP_102'.

You can add comments and attachments to a case and create tasks to assign to selected users or groups. Additionally, you can:

  • Change Priority

  • Assign this case to yourself

  • Change Status

  • Add attachments and so on.

👍

You've Successfully Completed the Steps in Playbook

You have successfully completed the steps in the playbook for identifying the IP addresses that are blacklisted by a threat intelligence organization.
Additionally, you can create a case in Devo SOARto track how frequently the password was changed from a blacklisted IP.

Let’s look at another example of how to build an email phishing playbook.