How to configure a custom playbook - Security Center - Alibaba Cloud Documentation Center

A playbook is a predefined logical flow or script used to identify, classify, evaluate, and respond to security events. A playbook includes a series of steps to perform specific operations, determine whether security threats exist, and decide how to respond to and mitigate them. You can customize and configure playbooks for different security event types and levels to meet various security needs. Using playbooks for response orchestration helps improve the efficiency and consistency of your security responses.

Core concepts

Playbook type

Security Center provides two types of playbooks:

Predefined Playbook: Security Center provides built-in playbooks based on common security threat scenarios and solutions. You can use these playbooks directly without configuration. You can also copy a predefined playbook and save it as a custom playbook. Then, you can modify the custom playbook as needed. This reduces the complexity of configuring custom playbooks.
Custom Playbook: For complex and highly personalized security threat scenarios, Security Center provides flexible custom playbooks. You can use the flow editor to freely configure various components and easily implement automated security response solutions.

Playbook parameters (input and output parameters)

Input parameters define the conditions that trigger the playbook. When you select different conditions, the parameter examples for debugging change accordingly.
Output parameters define the fields that are output after the playbook is executed. Subsequent nodes can use these fields. You can also use the setOutput action to make these fields available for reference by other playbooks. The syntax is `${event.parameter_path}`.
Note
In addition to custom output parameters, the system provides default system parameters. For more information, see System parameters in playbooks.

Custom playbook configuration flowchart

Flow editor description

You can create, modify, debug, and publish playbook flows using the visual flow editor. The following table describes the main parts of the flow editor.

剧本编辑

Ordinal number	Description
1-Menu bar	Save: After you edit a playbook on the canvas, click Save to save the current playbook as a draft. Important If you exit without saving, the edited flow information is lost. The draft version is temporary. If you roll back from a published version, the draft may be overwritten. To save the playbook permanently, click Publish. Publish: Publish the playbook as an official version. You can view the version information of the playbook on its details page. Note Only published playbooks can be used in automatic response rules and for event handling. Debug: Enter parameters in the debugging area at the bottom of the page to check if the current playbook runs properly. This helps you adjust the configuration promptly. Breakpoint debugging: When you edit a component on the canvas, select the component and click the icon to add a breakpoint. During debugging, the system executes only the ancestor nodes of that component. Check: Check whether the playbook flow is abnormal. You can publish the playbook only when no abnormality is detected. View Published Version: View the latest published version of the current playbook. More: Perform operations such as Save as JSON, Import JSON, Save as Image, Revoke, and Delete.
2-Flow nodes	Basic components required for each flow, independent of external factors. Each flow must have a start node as its starting point and can have multiple end nodes. For more information, see System components.
3-Component actions and playbooks	Components Basic components: Includes general IT components, such as writing to a database, writing data to SLS, and using Python 3 for script processing. Note Python 3 code runs in a built-in Python 3.9 container environment that belongs to the current Alibaba Cloud account. The container has 0.25 vCPU and 256 MB of memory. The maximum script execution duration is 600s. Security components: Components that directly handle security threats, such as the Server Guard component for terminating processes and the Cloud Firewall component for blocking access. Cloud product components: Components that call Alibaba Cloud product OpenAPI operations and query threat intelligence. For more information, see Cloud product components (OpenAPI) and AliyunThreatIntelligence component. Third-party components: Components that call OpenAPI operations of non-Alibaba Cloud products, such as the Web Application Firewall (WAF) of Tencent Cloud and Huawei Cloud. For more information, see Third-party components (OpenAPI). Playbooks Custom Playbook: Includes all custom playbooks created by the current account. Predefined Playbook: Includes all system-predefined playbooks.
4-Canvas area	The canvas area. Drag the components that you want to add to the canvas area and connect them based on their logical relationships. In the canvas area, double-click the start node ( icon) to set the basic information of the start node and the input and trigger methods of the flow. In the canvas area, double-click a basic orchestration component or security response component node to set the basic information, execution conditions, and execution actions of the component. In the canvas area, double-click the end node ( icon) to set the basic information of the end node.
5-Debugging area	Click Debug or the icon in the lower-right corner to expand the debugging area, where you can test if the playbook runs properly. Debug Parameters: On this tab, enter debugging parameters and click Debug. Debugging parameters must be in standard JSON format. You can click Input Parameter Wizard to view parameter examples. Run Logs: After you run a playbook, click Run Logs to view the execution result, details, and other information. Historical Debugging Records: View historical debugging records.

Procedure for configuring a custom playbook

Step 1: Create basic information for a playbook

Log on to the Security Center console.
In the navigation pane on the left, choose Agentic SOC > SOAR. In the upper-left corner of the console, select the region where the assets that you want to protect are located: Chinese Mainland or Outside Chinese Mainland.
On the Custom Playbook tab, click Create Playbook.
In the Create Playbook panel, enter a Playbook Name and Playbook Description, and click OK.

Note

You can also go to the Predefined Playbook tab, find a suitable playbook, and click Copy in the Actions column to copy the predefined playbook as a new custom playbook.

Step 2: Configure the playbook flow

After you create the basic information for the playbook in Step 1, you are automatically redirected to the playbook flow configuration page. You can also click Edit in the Actions column on the custom playbook list page to go to the configuration page.
Configure playbook input and output parameters
1. On the Playbook Editing page, click Settings in the upper-right corner. In the configuration panel, click Input & Output Settings.
  Note
  Each flow must have start and end nodes. Each flow can have only one start node but can have multiple end nodes.
2. In the Input & Output Settings panel, configure the input and output parameters of the playbook. For more information, see Playbook parameters (input and output parameters).
Orchestrate the response flow
This is the core of the playbook. You need to drag components that represent different operations onto the canvas and connect them. This topic uses the DataFormat component as an example. For information about how to configure parameters of other components, see Flow component description.
Important
- The start node uses event as the node name. Therefore, do not set the name of a component to event during playbook orchestration.
- You can select multiple flow components as needed and establish contextual relationships between them.
1. Select a component action
  In the Basic components section on the left, select the DataFormat component. Select an appropriate action, such as joindata or convertToJSON, and drag it to the canvas.
2. Configure component parameters
  In the canvas area, click the selected DataFormat component, or on the Basic Information configuration page, in the Action Configuration module, click to open the parameter settings page. For more information, see DataFormat component.
  - You can enter constants, variable parameters, system parameters, and expressions. For more information, see Component parameters and node execution flow.
  - You can also manually enter parameter settings. In the input box, you can select a node parameter from the drop-down list to generate the corresponding syntax. The following figure shows an example.
After you complete the component configuration, click Save in the menu bar in the upper-left corner.
Warning
If you exit without saving, the edited flow information is lost.

Step 3: Debug the flow

After you set up the playbook, you need to debug it to verify that the flow is correct and runs smoothly.

Set a breakpoint (Optional):
- Description: To verify a specific part of a complex flow, you can set a breakpoint on a component. During debugging, the flow executes up to the node before the breakpoint and then pauses. This lets you check intermediate results.
  Important
  - If the flow has multiple branches, the system debugs only the branch where the breakpoint is set.
  - If multiple breakpoints are set on the same branch, only the last breakpoint takes effect.
- Procedure: Click the icon on a flow node to set it as a breakpoint.
Run the debug
1. Click the debug button in the upper-left corner to open the Debug Parameters panel, and then click the Debug button.
  Note
  The debugging parameter settings vary depending on the type of input parameters configured for the playbook.
2. Load parameter examples:
  1. Click Example.
  2. On the View Sample Input page, click Load Sample.
3. Modify parameters: Modify the parameters as needed, and then click OK.
  Note
  The system provides a more intuitive Visual Mode to help you modify parameters.

View the debugging result

Click the icon on a node or Run Logs in the debugging area to view the detailed input and output data and execution status of the node. The following table describes some of the output parameters.

Parameter name	Description
datalist	The preview data of the result. Important A maximum of three preview data entries are displayed. To view the full data, go to the Complete Output Result tab.
total_data_successful	The volume of data that is successfully processed during execution.
total_data	The total volume of data processed during execution.
total_exe_successful	The number of times that the current action is successfully run.
total_exe	The total number of times that the current action is run.
total_data_with_dup	The volume of data after deduplication after successful processing during execution.

Step 4: Save and publish

After the debugging is successful, click the Publish button in the menu bar in the upper-left corner to convert the playbook to a published version.

Use a playbook

Only published playbooks can be used for automatic response rules and security event handling.

Important

After a playbook is triggered, you can view the generated response policies and tasks in the Response Center, or view the execution records on the playbook's details page.

Bind to an automatic response rule: This method is used to automate the response to specific alerts. For more information, see Automatic response rules.
Manually run during event handling: For complex security events that require manual analysis, you can manually trigger a playbook in the event handling center to assist with response operations. For more information, see the Run Playbook section in Evaluate and handle Agentic SOC security events.
Run directly: On the Predefined Playbook and Custom Playbook tabs of the SOAR page, find the target playbook and click Run in the Actions column to execute the playbook flow once.

Other operations

Roll back a playbook

If you want to restore a published playbook to a previous version, you can perform a rollback operation. The following steps describe how to do this:

On the Custom Playbook tab, find the playbook that you want to roll back. Click Details in the Actions column. On the details page, go to the Basic Information tab and view the historical versions of the playbook in the publish history section.
Run a test (optional): Select the version to which you want to roll back and click View in the Actions column to go to the playbook tab. In the Input Parameters (Run) area, complete the test run of the rollback version.
Select the version to which you want to roll back and click Roll Back to Edit or Roll Back and Publish in the Actions column.
- Roll Back and Publish: Overwrites the draft version on the editing page with the selected version and publishes it.
- Roll Back to Edit: Overwrites the draft version on the editing page with the selected version.

Warning

If you roll back from a published version, the saved draft version may be overwritten. Before you roll back, carefully evaluate the flow differences between versions.

Import a playbook

Note

Only JSON files can be imported.

In the menu bar of the flow editor, click More and then click Import JSON from the drop-down list.
On the import page, upload the JSON file that you want to import and click OK.

View playbook execution records

In the playbook list, click the playbook ID or Details in the Actions column to go to the playbook details page. You can view basic execution records on the Historical Execution Records tab.

Note

When you use a playbook to handle events or security alerts, the system automatically generates a corresponding playbook execution record.

Modify the playbook name

In the playbook list, click the playbook ID or Details in the Actions column to go to the playbook details page. On the Basic Information tab, click the Edit button next to the playbook name.

Note

You cannot modify the name of a predefined playbook.
Playbook names must be unique.

Common error codes for playbook execution and debugging

Error codes are classified into two types: errors that occur during playbook orchestration and errors that occur during component execution.

Error codes related to playbook orchestration

Error message	Description	Troubleshooting and solution
The filter condition for node [%s] is invalid. It must include data from the data list of node [%s].	The condition judgment configuration of the filter node is incorrect. The configuration must include the node data that you want to filter.	When you filter data from a node, make sure that the filter condition includes the data variables of the node and the corresponding conditions.
The start node has no downstream configuration.	No descendant node is defined for the start node.	Define a descendant node for the start node.
The node [nodeName] has no downstream nodes defined.	No descendant node is defined for a common node.	Define a descendant node for the common node.
The resource in node [node] does not exist.	A resource instance is configured, but the resource instance does not exist.	Select an existing resource instance.
The resource in node [node] is required but not configured.	No resource instance is configured.	Select and configure a resource instance.
Multiple nodes have the same name [nodeName].	Duplicate node names exist.	Find the duplicate node names and modify them to ensure that each node name is unique.
The path [path] defined in node [node1] is invalid because the child flow supports only the `${<subTask>.curLoop}` and `${<subTask>.curIndex}` formats.	In a child flow, the format of the variable retrieved using the name of the child flow is incorrect. Currently, only `${<subTask>.curLoop}` and `${<subTask>.curIndex}` are supported in child flows.	Check the variable definitions of parameters in the child flow and modify the incorrect variable definitions.
The path [node2.path] defined in node [node1] is invalid because node [node2] does not exist.	In the parameters of a node, the node referenced by a variable does not exist.	The referenced node does not exist or was deleted. You must reconfigure the variable or add the non-existent node.
The path [node2.path] defined in node [node1] is invalid because node [node2] is not an ancestor node of the current node.	In the parameters of a node, the variable references a node that exists but is not an ancestor node of the current node.	Reference a variable from an ancestor node.

Error codes related to component execution

Error code (errCode)	Error message (errMsg)	Troubleshooting
sophon.Internal.Error	An internal system error occurred.	Check the parameters or resource configuration. For more information, view the error message or contact the helpdesk.
component.Internal.ParamError	Component parameter error.	Check whether the parameters configured for the component are correct.
component.Abnormal.InvokeError	Component execution error.	An error occurred during the internal execution of the component. For more information, view the error message or contact the helpdesk.
filter.Abnormal.Fail	The data does not meet the filter condition. Check whether the filter condition is correctly set.	The data does not meet the filter condition. Check whether the filter condition is correctly set.
securityGroup.Internal.HostIsOutside	Hosts outside the cloud cannot use security groups to block IP addresses.	Check that the host to be blocked is not a host outside the cloud.
securityGroup.Internal.NumberExceedLimit	The number of security groups or security group rules exceeds the limit.	Check whether the number of security groups associated with the host or the number of security group rules exceeds the limit.
sts_openapi.Internal.ParamError	ParamError: The parameters of your request are invalid.	Check whether the actual input parameters of the component are correct.
sts_openapi.Internal.WafRuleError	VerifyRuleCountExceed: The number of rules exceeds the limit.	The number of custom rules for WAF exceeds the limit.
sts_openapi.Internal.DefenseTemplateNotExist	Defense.Control.DefenseTemplateNotExist: The protection template does not exist.	The WAF template does not exist. Check whether the WAF template was accidentally deleted.
sts_openapi.Internal.DefenseTemplateBindUnbindResourceInvalid	Defense.Control.DefenseTemplateBindUnbindResourceInvalid: The resource to which the template is to be bound is unavailable.	Failed to bind the WAF template to a resource. Check whether the associated resource is available.
sts_openapi.Internal.DefenseResourceRelationExist	Defense.Control.DefenseResourceRelationExist: The resource to which the template is to be bound is already bound to another template.	Failed to bind the WAF template to a resource. Check whether the associated resource is already bound to another template.
sts_openapi.Info.DefenseSceneNotSupported	Defense.Control.DefenseSceneNotSupported: This protection scenario is not supported.	The WAF version is too low and does not support the custom rule feature.
sts_openapi.Internal.ErrorAddressGroupExist	ErrorAddressGroupExist: The address group already exists.	The name of the Cloud Firewall address book conflicts with an existing one.
sts_openapi.Internal.PermissionError	NoPermission: The caller does not have permission.	The user does not have the permission to modify the associated resource.
sts_openapi.Internal.CFWRuleError	acl or expand acl count exceed.	The number of Cloud Firewall rules exceeds the limit.
sts_openapi.Internal.InvalidSecurityGroupId	InvalidSecurityGroupId.NotFound: The specified SecurityGroupId does not exist.	The security group does not exist. Check whether the security group was accidentally deleted.
sts_openapi.Internal.ErrorParametersGroupAddress	ErrorParametersGroupAddress: The IP address in the address group is invalid.	The current IP address book is unavailable.
sts_openapi.Internal.notBuyUser	not buy user: The user has not purchased the product.	The user has not purchased the Cloud Firewall product.
sts_openapi.Internal.Throttling	The error message contains the throttling or Throttling keyword, which indicates API throttling.	The OpenAPI operation for the cloud product is throttled.
python.Info.aegis2	The process does not exist.	The process does not exist.
python.Internal.aegis3	The process PID and path do not match.	The process PID and path do not match.
python.Internal.aegis4	Process permission denied.	You do not have the permission to handle the process.
python.Info.aegis5	The file does not exist.	The file to be handled does not exist.
python.Internal.aegis6	The file MD5 values are inconsistent.	The input MD5 value of the file to be handled is inconsistent with the actual MD5 value.
python.Internal.aegis7	File permission denied.	You do not have the permission to handle the file.
python.Internal.aegis8	The object file exists and the MD5 values are inconsistent.	The object file exists and the MD5 values are inconsistent.
python.Internal.aegis9	The backup file does not exist.	The backup file of the file to be handled does not exist.
python.Internal.aegis10	No fencing record is found.	No associated file fencing record is found.
python.Internal.aegis11	The AliYunDun process cannot be terminated or fenced.	The AliYunDun process cannot be terminated or fenced.
python.Internal.aegis91	The host information does not exist.	The host information does not exist.
python.External.Fail	Python script error.	An error occurred when the Python script was executed. For more information, view the error message or contact the helpdesk.
python.External.Data	Python component input format error.	An error occurred in the input format of the Python component. For more information, view the error message or contact the helpdesk.