- 29 Aug 2022
- 5 Minutes to read
- Updated on 29 Aug 2022
- 5 Minutes to read
Click the Settings icon in the upper-right corner of the Playbook Designer to configure the Playbook’s settings (Figure 1).
Use the dropdown menu to select the name of the user under which the Playbook should execute. This menu will be disabled if the Run as current user checkbox was enabled for a UserAction Trigger in the Playbook.
Use the dropdown menu to select the log level for the Playbook. Table 1 describes each log level, from least to most granular.
The ERROR log level will record only serious issues, such as a failure of an important process within the execution of a Playbook or Playbook App. The Playbook or Playbook App will still be able to run, but the problem, such as a dropped database connection or the inability to access a file or service, will require remediation in the near future.
The WARN log level will record unexpected and unusual, but not necessarily serious, problems in the execution of a Playbook or Playbook App, such as an attempt to invoke a service that resulted in failures before a successful connection on an automatic retry. It is unknown whether the issue will persist or recur. Warnings should be investigated, but are typically not urgent.
The INFO log level will record normal behavior and milestones for the execution of a Playbook or Playbook App, such as the start or exit of an App or the submission of an Indicator to a SIEM.
The DEBUG log level records detailed diagnostic information about the execution of a Playbook or Playbook App. For example, an App with this logging level may provide additional telemetry about a network or proxy connection.
The TRACE log level records very detailed diagnostic information about the execution of a Playbook or Playbook App. This log level provides the most granular information and is used to capture every possible detail about the Playbook or Playbook App’s behavior.
Log levels cascade; in other words, any log level will capture details at its own level and at all less granular log levels. For instance, INFO will capture WARN and ERROR messages, but exclude DEBUG and TRACE messages. Apps written in Python do not distinguish between DEBUG and TRACE log levels. Either can be used during Playbook design with the same effect.
Setting the log level for a Playbook App to DEBUG or TRACE activates input- and output-parameter value capture in the Input and Output tabs, respectively, for that App’s step in the Execution Details pane of the Executions screen for the Playbook (Figure 2 and Figure 3).
See Playbook Executions for more information on the Execution screen.
During Playbook development, it is recommended that the log levels of individual Apps be set to DEBUG or TRACE in order to maximize the amount of detail available in the logs on the Execution screen. Once a Playbook is ready for production, it is recommended that the Apps’ log levels be set to INFO, WARN, or ERROR. Leaving the log level for an App set to DEBUG or TRACE will generate excessive amounts of information in a high-volume environment and may affect system performance. Similarly, it is recommended to set the log level for the Playbook itself to INFO or WARN.
Use the dropdown menu to select the server or group of servers on which the Playbook should execute. If a private server is available to the user’s Organization, a lock icon will be displayed next to the server’s name. In a multi-tenant instance of ThreatConnect, private servers are dedicated instances on which users in an Organization can run a Playbook rather than have the Playbook execute through the queue of the pool of public servers (i.e., the Default Server Pool). Private servers should be used for Playbooks of priority or performance requirements that necessitate their execution outside of the Default Server Pool.
Use the dropdown menu to select the priority level (High, Medium, or Low) for the Playbook. Playbook priority level is used to influence a Playbook’s position in the execution queue. When all Playbooks in the execution queue (either in the Default Server Pool or on a private server) have the same priority level, they will go through the queue on a first-in, first-out (FIFO) basis. When a Playbook of higher priority enters the queue, its execution will take precedence over any lower-priority Playbooks waiting in the queue, regardless of existing queue order. When multiple Playbooks of a given priority level are in the queue, they will execute on a FIFO basis within their priority level.
For example, if there are two high-priority Playbooks, three medium-priority Playbooks, and four low-priority playbooks in the queue, the two high-priority Playbooks will execute first, in the order in which they were entered in the queue (i.e., FIFO), the three medium-priority Playbooks will execute next in FIFO order, and then the four low-priority Playbooks will execute last in FIFO order. If, while the medium-priority Playbooks are executing, another high-priority Playbook enters the queue, the high-priority Playbook will execute after the current execution completes, and then the queue will go back to executing the medium-priority Playbooks. The default priority level for a Playbook is Medium.
Enter the number of minutes of analyst time that will be saved with each execution of the Playbook in the Minutes box. Enter the hourly rate of the analyst in the Rate/Hour box. Every time the Playbook executes, these values will be used to calculate how much time and money were saved by executing the Playbook rather than having the analyst do the work manually. See Playbooks: Return on Investment for more information.
The Failure Notifications feature allows ThreatConnect users to specify email addresses that should receive an email if a Playbook fails to execute.
Select the Enabled checkbox (Figure 1) to enable failure notifications. After this checkbox is selected, an Include Log Files checkbox and an Email text box will be displayed (Figure 4).
- Include Log Files: Select this checkbox to receive log files with failure notifications.
- Email: Enter the email address(es) to which failure notifications should be sent. If entering multiple email addresses, separate each email address with a comma.
ThreatConnect® is a registered trademark of ThreatConnect, Inc.