SBN

Swimlane Turbine: Using the Playbook Condition Builder

Security automation platforms, like Swimlane Turbine, use playbooks to understand what to automate in the security operations center (SOC). Security teams decide what actions, triggers, and events the automation platform will use to automate a variety of tasks.

One of the most powerful features of low-code playbooks is the ability to apply different conditions to specific steps in the process. And, with the introduction of Turbine’s playbook condition builder, this is easier than ever.

What is the Playbook Condition Builder?

When building playbooks in a security automation platform, actions are often required to be executed on a conditional basis – dependent on the results of other actions. You may want a different outcome if an action succeeds versus fails. That’s where the playbook condition builder comes in.

In Turbine, the playbook condition builder is a user-friendly feature in the playbook building process. It enables you to create security playbooks that execute actions when specified criteria are met, without the need to write any code.

How it Works

The playbook condition builder applies conditional statements that can be added between actions within a playbook. The simplest way to do this is with the action flow condition control. It provides you with visible options to decide when the next action should occur – on the success, failure, or general completion of the previous action.

You can hover over an action to display three action flow options:

  • Green: “On Success” – this will run the next action if the previous action succeeds.
  • Red: “On Failure” – this will run the next action if the previous action fails.
  • Gray: “On Complete” – this will always run the next action, regardless of the success or failure of the previous action.

An action can also have more than one action flow, as seen below.

For example, let’s say you want to create an action to parse IOCs from a text file. Depending on the outcome of that action run, the next action may need to be different.

  • If the action succeeds, you can run a playbook that performs a look-up on those IOCs (green).

  • If the action completes, you can run an action to scan the file for viruses (gray).

  • If the action fails, you can run an action to send an alert through Slack (red).

Conditions can also be added or edited by clicking the action flow arrow between two actions. This will display options above the action flow for you to choose from.

In addition to the three options previously mentioned, you can also choose to:

  • Delete the flow completely (red X).

  • Edit the conditions (pencil).

  • Remove all conditions (diamond).

Advanced: Adding More Conditional Logic

The power of Turbine’s low-code automation engine allows you to take playbook building another step further. Let’s look at how to add conditional logic for more advanced conditional action flows.

When editing an existing condition, an editor window appears. This is where you can create more detailed conditional statements. In this editor, you can build conditional logic using playbook properties and operators.

Operators can be used in a variety of ways, as seen below.

View the full list of operators.

You’ll quickly see all the possibilities you gain when adding conditions to your playbooks. For instance, the expression below contains multiple conditions built using the editor. This shows a group of conditions that all need to be met in order for the next action to happen:

With the tools provided in the playbook condition builder, you can build playbooks as simple or complex as you want. It’s an effective way to implement a range of business logic for stronger automation across all of your playbooks.

*** This is a Security Bloggers Network syndicated blog from Swimlane (en-US) authored by Jimmy Wachs. Read the original post at: https://swimlane.com/blog/security-automation-playbook-condition-builder/