Creating

S4E provides a visual playbook builder that lets you design multi-step security workflows without writing code. This guide walks you through creating a playbook from scratch.

Opening the Playbook Builder

  1. Navigate to Playbooks in the left sidebar.
  2. Click New Playbook.
  3. The visual builder opens with an empty canvas.

Playbook Metadata

Before adding steps, configure the playbook's basic information:

  1. Name -- A descriptive name (e.g., "Critical Vulnerability Response").
  2. Description -- Explain the playbook's purpose and when it should be used.
  3. Category -- Classify the playbook (Incident Response, Compliance, Remediation, etc.).
  4. Tags -- Add tags for searchability.

Defining Input Variables

Input variables define what data the playbook needs to start:

  1. Click Variables in the builder toolbar.
  2. Click Add Input Variable.
  3. Configure each variable:
    • Name -- Variable identifier (e.g., finding_id).
    • Type -- String, Number, Boolean, Finding, Asset, or List.
    • Required -- Whether the variable must be provided.
    • Default value -- Optional default if not provided.
    • Description -- Help text for users running the playbook.

Common input variables:

Variable Type Description
finding Finding The finding that triggered the playbook.
asset Asset The affected asset.
severity_threshold String Minimum severity to act on.
notify_channel String Notification channel name.

Adding Steps

Action Step

Executes a single action from the action library:

  1. Drag an Action block from the step palette onto the canvas.
  2. Select the action to execute from the library.
  3. Map input parameters using variables or static values.
  4. Name the step for clarity.

Condition Step

Branches the workflow based on a condition:

  1. Drag a Condition block onto the canvas.
  2. Define the condition expression:
    • {{finding.severity}} == "Critical" -- Check severity.
    • {{previous_step.status}} == "Success" -- Check previous step outcome.
    • {{asset.tags}} contains "production" -- Check asset tags.
  3. Connect the True path and False path to subsequent steps.

Approval Step

Pauses execution until a human approves:

  1. Drag an Approval block onto the canvas.
  2. Configure:
    • Approvers -- Who can approve (users, roles, or teams).
    • Approval mode -- Any one, all required, or quorum.
    • Timeout -- How long to wait before escalating or expiring.
    • Context message -- Information to display to the approver.
  3. Connect the Approved and Rejected paths.

Delay Step

Waits for a specified duration:

  1. Drag a Delay block onto the canvas.
  2. Set the delay duration (minutes, hours, or days).
  3. Common use: wait for a fix window before running a verification scan.

Parallel Step

Executes multiple steps simultaneously:

  1. Drag a Parallel block onto the canvas.
  2. Add sub-steps inside the parallel block.
  3. All sub-steps execute concurrently.
  4. The parallel block completes when all sub-steps finish.

Tip

Use parallel steps for independent operations like sending notifications to multiple channels simultaneously.

Connecting Steps

Connect steps by dragging from a step's output port to the next step's input port. The builder enforces valid connections:

  • Action steps have a single output.
  • Condition steps have True and False outputs.
  • Approval steps have Approved and Rejected outputs.
  • Parallel steps have a single output (after all sub-steps complete).

Error Handling Configuration

For each step, configure error behavior:

  1. Click on a step and open the Error Handling tab.
  2. Select the policy:
    • Stop playbook -- Halt execution on failure.
    • Continue -- Skip the failed step.
    • Retry -- Retry with configurable count and delay.
    • Fallback -- Execute an alternative step.

Testing Your Playbook

Before deploying:

  1. Click Test in the builder toolbar.
  2. Select a test mode:
    • Dry run -- Simulates execution without performing real actions.
    • Sandbox -- Executes against a test environment.
  3. Provide test input variables.
  4. Review the execution trace to verify behavior.

Warning

Always test playbooks in dry-run mode before enabling automatic triggers, especially for playbooks that modify production systems.

Saving and Publishing

  1. Click Save to save the playbook as a draft.
  2. Click Publish to make it available for execution.
  3. Published playbooks appear in the playbook library and can be triggered manually or automatically.

Cloning Existing Playbooks

To create a playbook based on an existing one:

  1. Navigate to the playbook library.
  2. Click the three-dot menu on the playbook you want to clone.
  3. Select Clone.
  4. Modify the cloned playbook as needed.
  5. Save with a new name.

What's Next?