Create an Advanced Playbook

Create an advanced playbook to automate complex workflows with advanced conditional logic, multiple decision trees, and configurable actions. To automate simple workflows in which a trigger object and its properties directly correlate to specific actions, create a rule-based playbook.

You can create up to ten playbooks for each playbook trigger.

1. Enter Playbook Information

In the Automation Management Playbooks tab, click New Playbook, then select Advanced.
Enter information about the playbook:
- Playbook name – Enter a playbook name between four and 32 characters. You can use numbers, letters, and spaces only. You can't rename a playbook after it's created.
- Description – Describe the playbook.
- Trigger – Define the playbook trigger. Click Select object, then select a trigger object: Alert or Case. Click Select trigger, then select the situation that occurs to the trigger object: is created or is modified.
  You can create up to 20 playbooks for each playbook trigger.
Click Continue. The playbook contains an input and a result.
The input represents playbook inputs you can use for all steps.
The result represents the output of the last step of the playbook.

2. (Optional) Configure Playbook Inputs

In Input, add or edit inputs you can use for steps throughout the entire playbook. By default, you can configure the following case and alert attributes as inputs:

alert_id – The alert ID
case_id – The case ID
priority – The case priority
risk_score – The case or alert risk score
create_case – Whether the playbook creates a Threat Center case after it's run. If the playbook should create a Threat Center case, toggle create_case on.
use_cases – The Exabeam use cases associated with the case or alert
mitres – The MITRE ATT&CK^® tactics and techniques associated with the case or alert
tags – The tags associated with the case or alert
rules – Threat Detection Management rule names
src_ips – The source IP addresses associated with the case or alert
src_hosts – The source host names associated with the case or alert
dest_ips – The destination IP addresses associated with the case or alert
dest_hosts – The destination IP addresses associated with the case or alert
users – The users associated with the case or alert
case_curr_stage – The current case stage
case_closed_reason – The reason why the case was closed
case_queue – The queue assigned to the case
case_assignee – The assignee assigned to the case

To add or edit an input, click Input.

Add an Input

You can use existing parameters as inputs or add inputs from scratch.

Use Existing Parameters as Inputs

To use existing parameters as inputs, you can copy parameters received from an existing JSON, or past runs or input library. You can also reuse inputs for the first step as static inputs.

To copy parameters from an existing JSON, after Copy input's schema from, click A JSON, then in the JSON editor, copy and paste the parameters' source JSON. Click Import.
To copy parameters from a past run, after Copy input's schema from, click Past Runs/Input library, then click to close the current panel. Under Previous runs, select a run, then click Use Input.
If you already created a step, you can reuse the inputs for the first step as the playbook inputs. After Copy input's schema from, click First step's inputs.

Add an Input from Scratch

In Field name, enter the name of the input, then click +Add field. The input is added to the list.
Define the input properties.

Edit an Existing Input

To edit an existing input, click the input name, then configure the input properties.

3. Design the Playbook Logic

Design the logic of the playbook:

Add an action. You can add up to 10 actions.
Add a for loop.
Add a while loop.
Add a branch to one.
Add a branch all.
To undo your last activity, click . To redo the last activity you undid, click .
To remove a step from the playbook, click .
Test the playbook.
To save the playbook as a draft, click Draft or press command + S. The playbook is saved in Draft Only status.

4. Deploy the Playbook

If the playbook is ready to run, deploy the playbook. Click Deploy. The playbook status is changed to Deployed.

Add an Action to an Advanced Playbook

Add an action to call and use results from a service in a playbook.

You can add a maximum of 10 actions to an advanced playbook.

In an advanced playbook, click Add step , then select Action. You can create a new action directly in the playbook using Python or select an existing action.

Create a New Action

Under New script, select Python, then:

(Optional) In Summary, enter a name or description of the action.
In the Python code editor, build the action logic. Keep in mind:
The code must have a main function. The main function is the entry point for executing the action and the variables declared in the main function are used as the action inputs. Type annotations aren't mandatory but are recommended to pre-validate input arguments. The main function variables appear under Step Input.
The import line imports a reserved custom Exabeam library required for the Python engine to work.
To revert all your progress, click Reset Content .
Under Step Input, define the action inputs. The inputs can be:
- A template string with placeholders interpolated for context variables. A placeholder is indicated by ${ and }; for example, `The case risk score is ${flow_input.risk_score}`.
- A JavaScript expression evaluated when the playbook runs. You can use context variables and input variables in the expression.
- A static value, used as is.
To insert a playbook input, a resource, or result of a previous step in your action input definition, you can append it to your definition or replace the existing definition:
- To append a playbook input, resource, or previous result at the cursor position, select the input, resource, or result from the list.
- To replace your existing definition, click Connect to another node's output , then select a playbook input, resource, or result from a previous step.

To verify that the action returns the results you expect, test the action.

Use an Existing Action

Determine an action to use from the community hub or your own workspace:
- To view all available actions, select the All tab.
- If view actions created by someone else and shared in the community hub, select the Hub tab.
- To view an action you previously created, select the Workspace tab or under Workspace Folders, select exabeam.
From the list, select an action.
Under Step Input, define the action inputs. The inputs can be:
- A template string with placeholders interpolated for context variables. A placeholder is indicated by ${ and }; for example, `The case risk score is ${flow_input.risk_score}`.
- A JavaScript expression evaluated when the playbook runs. You can use context variables and input variables in the expression.
- A static value, used as is.
To insert a playbook input, a resource, or result of a previous step in your action input definition, you can append it to your definition or replace the existing definition:
- To append a playbook input, resource, or previous result at the cursor position, select the input, resource, or result from the list.
- To replace your existing definition, click Connect to another node's output , then select a playbook input, resource, or result from a previous step.

Add a For Loop to an Advanced Playbook

Add a for loop to iterate over items in a list in an advanced playbook.

In an advanced playbook, click Add step , then select For loop.
Do one iteration represents one iteration of the loop. Collect result of each iteration represents the end of the loop.
Configure the settings:
- Summary – Enter a name or description of the loop.
- Skip failures – Toggle this on if the for loop continues to the next item in the list even if the current item fails.
- Run in parallel – Toggle this on if the for loop iterates over all items in the list in parallel.
- Parallelism – Available only if you toggle Run in parallel on. To control large for loops, enter the maximum number of iterations run in parallel.
- Iterator expression – Enter a JavaScript expression evaluated to get the list of items the for loop iterates over. You can also use the result of a previous step that contains several items.
To run an action on each iteration, under Do one iteration, add an action or other sequences of steps.
(Optional) To ensure the loop works and returns results as you expect, test a specific iteration of the loop.

Add a While Loop to an Advanced Playbook

Add a while loop to execute steps indefinitely until certain conditions are met or until you manually stop the playbook from running.

In an advanced playbook, click Add step , then select While loop.
Do one iteration represents one iteration of the loop. Collect result of each iteration represents the end of the loop.
If the while loop continues to the next iteration even if the current iteration raises an error, toggle Skip failures on.
To run an action on each iteration, under Do one iteration, add an action or other sequences of steps.
(Optoinal) Determine conditions under which the while loop or entire playbook stops:
- To stop the while loop after an iteration, select While loop, then under Early Stop/Break, toggle Break loop on. Under Stop condition expression, define the conditions the iteration result must meet for the loop to stop.
- To stop the while loop after a nested step is executed, select the action, navigate to Advanced > Early Stop, then toggle Break parent loop module on. Under Stop condition expression, define the conditions the action result must meet for the loop to stop.
- To stop the entire playbook after all while loop iterations have run, select While loop, then under Early Stop/Break, toggle Stop flow if condition met on. Under Stop condition expression, define the conditions the step result must meet for the playbook to stop.
(Optional) To ensure the loop works and returns results as you expect, test a specific iteration of the loop.

Add a Branch to One to an Advanced Playbook

Add a branch to one to execute a different sequence of steps based on a condition.

To execute multiple sequences of steps in parallel, add a branch to all.

In an advanced playbook, click Add step , then select Branch to one. A default branch and a non-default branch are created. Collect result from all branches represents the end of the branch.
In Run one branch, configure the settings for the non-default branch:
- Under Summary, enter a name for the branch. Names are helpful to keep track of multiple branches.
- To define the condition that must be true for the branch to execute, click Edit Predicate, then in the text box, enter the predicate expression in JavaScript.
To create another non-default branch, click , then configure the settings for that branch.
The first branch whose predicate expression evaluates to true is executed.
Under each branch, add other steps.

Add a Branch to All to an Advanced Playbook

Add a branch to all to execute multiple sequences of steps.

To execute a single sequence of steps based on a condition, add a branch to one.

In an advanced playbook, click Add step , then select Branch to all. Two branches, Branch 1 and Branch 2, are created. Collect result from all branches represents the end of the branch.
To create another branch, click .
In Run all branches (parallel), for each branch, configure the settings:
- Under Summary, enter a name for the branch. Names are helpful to keep track of multiple branches.
- If the playbook should stop executing the branch if it raises an error, toggle Skip failure on.
- If the branches run in parallel, toggle All branches run in parallel on. If All branches run in parallel is toggled off, the branches run consecutively.
Under each branch, add other steps.

Automation ManagementAutomation Management Guide

Table of ContentsTable of Contents