SOAR Playbook designer

A playbook is the set of tools, conditions, business logic, flows and tasks used to respond to security events and threats in a Security Orchestration, Automation, and Response (SOAR) environment.

IBM Security QRadar® SOAR accepts data entered manually or programmatically. You then use the various playbook tools to evaluate and process the data, determine results, and perform remediation. This can include interaction with other security programs and assigning users to do manual tasks. The playbook tools include playbooks, conditions, scripts, functions, rules, workflows and tasks. In addition, you can use fields, data tables and artifacts to contain data, and phases and reports to track progress.

IBM Security QRadar SOAR contains various playbooks that you design. The playbook runs when the conditions that you define are met. A condition is a change to an instance of the object type selected in the playbook.

Creating a playbook involves a set of incident types, phases, tasks, fields, workflows, scripts and rules to respond to an incident through intelligence, automation, and orchestration. Before creating a playbook, you need to understand your organization’s policies for responding to events.

Playbook designers can install apps that include customizations that you can use when designing playbooks. For more information about using apps in IBM® SOAR, see SOAR Apps and App Host.