Playbooks
Playbooks define a list of tasks that should be completed to handle the ticket. Tasks in playbooks in Catalyst can be manual analyst tasks or automated tasks. The playbook is described in a yaml format. The single fields in this format are described in the following sections.
Format
name
Name of the playbook.
tasks
Playbooks consist of tasks,
tasks.<task_id>.name
Name for the single task.
tasks.<task_id>.type
Type of the task, can be one of task
, input
or automation
.
- task
- Simple manual task for the analyst.
- input
- Question for the analyst. Requires `schema` to be set.
- automation
- Automation trigger, requires `automation` to be set.
tasks.<task_id>.schema
This field is only used when type
is input
.
tasks.<task_id>.automation
This field is only used when type
is automation
. This is a simple string that is used as a key for
automations.
tasks.<task_id>.payload
This field is only used when type
is automation
. It can be used to map values from other sources to
the appropriate input of the automation.
...
hash:
name: Hash the malware
type: automation
automation: hash.sha1
payload:
default: "playbook.tasks['input'].data['something']"
...
This examples maps the output of the playbook question 'input' in the malware field to the 'msg.payload' field.
tasks.<task_id>.next
Next defines which tasks should be run after this one. It consists of key value pairs. The keys are the id of the next tasks while the value defines in which case the next task is run. If the value is unset (or null) this task is run in any case.
...
tasks:
input:
name: Upload malware if possible
...
next:
hash: "malware != ''"
...
tasks.<task_id>.join
Usually tasks are run if one of the predecessors is completed and the next condition is met. If join is set to true all predecessors are required to be completed and all conditions are met.