Customization App

A customization app consists only of playbook components.

To write the app, first determine which components you need.

Rules, Workflows, and Python Scripts

Rules are the basis of your playbook’s decision-making process. Based on the input, rules determine which process to implement, including which tasks to bring into the incident.

The SOAR standards-based BPMN workflow manages long-running activities in the playbook. Features include tasks, scripts, integration functions, decision paths, and timers that can escalate tasks to keep your incident responders on track.

Python scripts within the playbook coordinate the way your teams work together and adjust the response plan as an incident evolves. Automatically reassign incidents and tasks, create milestones and metrics for key events, and work with other incident data.

Fields and Data Tables

The security incident is focused on data that you capture and control, surrounded by related events and the business context. The SOAR extensible schema supports your team in tracking and acting upon the information you need.

You can use fields as data capture points for analysis review and to produce metrics. They specifically support incident response actions, reports, list incident views, and analytics dashboards. Fields should be distinct, specific and purposeful.

Data tables are particularly useful for structured “master-detail” data that is observed and managed in an incident, such as: list of affected users with their roles and contact details; compromised machines and their business function and network zone; office locations and resources. They are often used with functions and custom actions, where the information is populated from another security program. In some apps, users can pivot to initiate capabilities of your security programs directly from a row in the data table.

Examples

Example 1: One important use of scripts is to calculate and store values for record-keeping, display and reporting. Use custom scripts to record specific timestamps and durations, or to calculate severity based on the impacted users, machines or data. See examples that calculate metrics.

Example 2: Use scripts to automatically reassign incidents and tasks, add custom tasks with instructions derived from artifacts, create milestones for key events, automatically add work-notes, and work with other incident data. See examples of orchestration scripts.

Example 3: Scripts can be used to fail validation. By raising an error, they prevent the current action. You can use this to set complex conditions on a field’s value, for example to conform to a particular numbering scheme or data format. Another use is to ensure that multiple fields relate to each other: if one field is blank, another must be filled. Or use a task script to prevent a task from being closed unless required data has been entered in the task. See examples of custom validation.

Procedure

1. Create the components in your SOAR platform. See the Playbook Designer Guide to create playbook components.
2. Use the SOAR SDK extract command to package the components into a res file. For example:

   resilient-sdk extract –-script name --workflow name --rule name -f name -o output_file_name.res --zip 

3. Copy the file to the host system of the SOAR platform.
4. Log in to the SOAR platform and use the import feature to import this file. You can find the import feature by clicking Administrator Settings and selecting the Organization tab. Refer to the System Administrator Guide for details.

You can find both guides on IBM Documentation as described in the Reference topic.