Guides

Module: Playbook

Overview

The playbook modules provide common methods used in writing Playbook and Service Apps. These modules offer a standardized set of functionalities that streamline the development process and ensure consistency across different Apps.

Playbook Apps Overview

A Playbook App serves as a singular component within a larger Playbook. Designed to be reusable and standalone, these Apps offer specific functionalities to address a single purpose. When combined, multiple Playbook Apps form a comprehensive Playbook that effectively addresses a particular use case. By breaking down complex tasks into smaller, specialized components, Playbook Apps enhance the modularity and reusability of the overall Playbook structure. This approach promotes efficiency, flexibility, and scalability in designing effective threat response and security automation workflows.

Playbook Flow

During the execution of a Playbook, each App has inputs and outputs. Inputs can be either user-provided data or outputs from a preceding App within the workflow. The input and output configurations for each App are defined in the App's App-Deployment Configuration file.

As the Playbook progresses, each downstream App gains access to the output variables generated by any of the upstream Apps in the workflow. This seamless data sharing enables downstream Apps to leverage the results and outputs of earlier steps, enhancing the overall efficiency and effectiveness of the Playbook execution. The interconnected nature of the Apps ensures a smooth and cohesive workflow, making it easier to orchestrate complex security automation processes and threat response actions.

📘

Upstream App

An upstream App is an App that has completed execution prior to the current Apps' execution.

Inputs and Outputs

❗️

Input in TcEx 3 and 4

Inputs in TcEx 3 and 4 are auto-resolved, meaning that the value is automatically pulled from the KV Store and therefore, calling the read.variable() method is not required.

Input Variables

In the context of Playbook Apps, inputs can be either static user data or dynamic output variables from a trigger or an upstream App. To facilitate the retrieval of dynamic data from upstream Apps, the Playbooks module offers the read.variable() method. This method automatically determines the variable type for the App developer, streamlining the data retrieval process.

If the read.variable() method is used to fetch an output variable from an upstream App, it will provide the appropriate variable type as expected. However, if user data was inadvertently passed instead of an output variable, the method will simply return the unaltered string. This behavior ensures that the data handling remains flexible and robust, accommodating both dynamic and static inputs within the Playbook Apps.

Mixed Inputs

Inputs that have embedded variables are supported, but only String variables can be embedded by default.

Output Variables

In most Playbook Apps, writing output variables for downstream Apps is a common practice. To simplify this process, the TcEx playbooks module offers the self.playbook.create.variable() method in TcEx 3 or the self.out.variable() method in TcEx 4, which provides several useful features:

  1. Validation: The method ensures that the output variable was explicitly requested by a downstream App, preventing any accidental or unauthorized exposure of data.

  2. Auto Variable Type Detection: The self.playbook.create.variable() method automatically detects the data type of the output variable, making it convenient for developers to handle different types of data without explicit type declarations.

  3. Data Content Validation: The method validates the data content of the output variable, ensuring that it meets the necessary requirements and specifications.

While there are specific methods available for different data types (e.g., self.playbook.create.binary()), in most cases, developers find the generic self.playbook.create.variable() method preferable due to its flexibility and ability to handle various data types seamlessly.

Variable Types

  • Binary
  • BinaryArray
  • KeyValue
  • KeyValueArray
  • String
  • StringArray
  • TCEntity
  • TCEntityArray

Updated 12 months ago