Video: Playbooks - Under the Hood

Cydarm Playbooks - Under the Hood

Video Transcript:

0:00 Okay, in this video I wanna talk a bit about playbooks and how they operate under the hood. So we've got this phishing email playbook here, which we've looked at in a different video.

0:13 And as, as you can see, it contains a number of different steps. Now, this is how it appears within Cydarm but under the hood, these are all YAML files.

0:25 So we'll just open up the code here. I've just opened up these files in Visual Studio Code. And you can see here we've got a number of different files here.

0:37 So this one here that I've got open at the moment is the phishing email playbook. This one here that we've seen now we've got a number of other files here, and these are actually the individual actions within those playbooks.

1:00 So you can see, let's look at one of these actions. This is YAML file and you've got the, the title, the description, a bit of metadata around it.

1:13 And if we look at the playbook YAML file, it's similar just to YAML file, but it contains references to the actions.

1:22 So you can see how here this fishing playbook contains references to each of the actions here. So pretty basic how they they operate.

1:36 Now what you can do with this is for playbooks, if you want, you can export them. And that will actually I'll do that now.

1:49 You'll see that That actually it's a zip file, but it's a zip file containing the Amal files. Conversely, if you want, you can upload a playbook Now to upload a playbook what you would do is first you would upload all of the individual YAML files which are the actions within that playbook.

2:20 Once you've uploaded those, then you can upload the playbook, which will basically put together all of the actions that have already been uploaded into a single playbook.

2:32 One thing that is worth noting is that these playbook actions are actually their name has to be unique. So if I was to try and upload another action named to this then that's gonna throw an error.

2:50 In fact, we can do that now. So fishing target investigation upload, and we actually get an error because that one already exists.

3:04 So if you do want to edit playbooks, the actual YAML files themselves it's just important to remember that. You'll need to make sure that the playbook action names are unique.

3:17 But also that means if you wanna reuse playbook actions, what you could do is, let's say I this let's say R 2 0 0 1, capturing malicious links.

3:32 That's a fairly generic action. So I might use that in a malware playbook that contains malicious links. So what I can actually do is create a malicious email like a malicious file playbook that might reference this particular action.

3:52 So essentially I can reuse that action. Anyway, that's I just wanted to give a bit of insight into how the playbook files operate under the hood.

4:02 Thanks for watching.