-
-
Notifications
You must be signed in to change notification settings - Fork 155
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add nested playbooks #158
Comments
I don't see how we can put one playbook into another and make the list of tasks expandable in case of need. we've worked out this problem using atomic-threat-coverage/response_playbooks/RP_0001_phishing_email.yml Lines 33 to 37 in ea6cda3
Maybe this is something that could help? If you need fully automated nesting, this is not something TheHive can offer at the moment. What do you guys think? @sn0w0tter @mrblacyk |
Here is an example to make sure we're thinking of the same thing. Playbook 1
Playbook 2
Steps Playbook 1
Playbook 2
Playbook 3
Where in playbook 1 and 2 the response actions are automatically imported to look like the original example, and any workflow is concatenated in order of playbook import. |
Hey @VVX7, I can see how it can be useful. Right now, we have Response Actions category in its name so technically we could just consume the list of RAs from nested RP and append accordingly. However, single RP contains RA from potentially all steps of 6-step SANS IR process. There is an issue of order and placement of nested RP. I can see a one solution to this problem. Let's put nested RP as a step for identification. Let's say that the above example is related to one step only - identification. The function will retrieve identification RAs from a nested RP (Playbook 3) and insert to the Playbook 2 at the location of Playbook 2Identification
Playbook 3Identification
We end up with: Playbook 2Identification
The order does matter. If the What do you think? Would it be suitable for this? Of course, I also can think of an additional field for including whole playbooks but the order would be a problematic part and would like to hold with such a feature for time being. |
I can also see now that it may be a bit confusing. This approach mandates that inclusion of nested RP needs to be repeated for every IR step. |
That could work. You're correct that the RA order needs to be maintained and that nested RP must be included for each IR phase (and I've added more phases in my AMITT PR too). |
Problem
Currently playbooks are flat lists of response actions. This can be difficult to maintain when playbooks grow in number or complexity.
Solution
Playbooks should be allowed to contain references to other playbooks in addition to response actions.
When exported to TheHive nested playbooks must be flattened (possibly with some tag/prefix to identify specific tasks as members of child playbooks) so that they can be used as Tasks.
The text was updated successfully, but these errors were encountered: