Playbooks & SOAR Engine
Visual playbook builder, execution engine with conditional branching, parallel steps, approval gates, 10+ action handlers, and 7 demo playbooks.
Status
Built
Action Handlers
10
Demo Playbooks
7
Templates
10+
Overview
The SOAR (Security Orchestration, Automation, and Response) engine provides a complete playbook lifecycle: visual building, template instantiation, version-controlled editing, advanced execution with conditional branching, parallel step groups, approval gates, error handling, and dry-run mode. The production ActionDispatcher in soar_actions.py provides 10 action handlers with retry logic, audit logging, and graceful degradation when external APIs are unavailable.
What Was Proposed
- Visual playbook builder with drag-and-drop step management
- 10+ pre-built playbook templates (phishing, ransomware, malware, brute force, etc.)
- Advanced execution: conditional branching, parallel steps, approval gates, loops
- 10+ SOAR action types with production-quality handlers
- Version tracking with rollback capability
- Execution metrics and per-playbook analytics
- Import/export playbooks as JSON
- Dry-run mode for testing
What's Built
| Feature | Status | Details |
|---|---|---|
| Playbook CRUD | Complete | Create, read, update (full + partial), delete, list with filters |
| Template Library | Complete | 10+ templates: phishing, ransomware, malware, brute force, cloud compromise, data exfiltration, etc. |
| Template Instantiation | Complete | Create playbook from template with optional customizations |
| Visual Builder | Complete | POST /build for visual builder, import from JSON, validation |
| Execution Engine | Complete | Step-by-step execution with status tracking, parallel groups, approval gates |
| Approval Gates | Complete | Pause execution at approval steps, approve/reject via API |
| Version Tracking | Complete | Version history per playbook, rollback to previous versions |
| Clone & Export | Complete | Clone playbooks with new name, export as JSON |
| Execution Metrics | Complete | Overall and per-playbook metrics, top playbooks by runs/success |
| Cancel Execution | Complete | Cancel running or paused executions |
| Dry-Run Mode | Complete | Execute without side effects for testing |
SOAR Action Handlers (soar_actions.py)
| Action Type | Handler | Description |
|---|---|---|
| enrich_ioc | EnrichIOCHandler | IOC enrichment via VirusTotal, AbuseIPDB, internal TI |
| isolate_endpoint | IsolateEndpointHandler | Network isolation of compromised endpoints |
| block_ip | BlockIPHandler | Block IP on firewall/WAF/blocklist |
| create_incident | CreateIncidentHandler | Create incident record with severity |
| send_notification | SendNotificationHandler | Send alerts to Slack, email, PagerDuty |
| run_query | RunQueryHandler | Execute SIEM queries (lateral movement scan, etc.) |
| update_severity | UpdateSeverityHandler | Update alert/incident severity |
| assign_analyst | AssignAnalystHandler | Assign analyst using skill-based routing |
| add_tag | AddTagHandler | Tag alerts with metadata labels |
| evaluate_condition | EvaluateConditionHandler | Conditional branching based on field values |
All handlers follow a validate -> execute -> (optional rollback) lifecycle. External-facing handlers fall back to dry-run mode when API keys are not configured.
Architecture
Execution Flow
PlaybookExecutor.execute_playbook(playbook, trigger_context)
|
for each step in playbook.steps:
|
+-- type: "action" -> ActionDispatcher.dispatch(action_type, config, event)
| |-> validate() -> execute() -> ActionResult
| |-> retry on failure (3 attempts, exponential backoff)
| |-> audit log every execution
|
+-- type: "condition" -> evaluate field against operator/value
| |-> on_true: jump to step X
| |-> on_false: jump to step Y
|
+-- type: "parallel_group" -> asyncio.gather(parallel_steps)
|
+-- type: "approval_gate" -> pause execution, wait for human approval
| |-> POST /executions/{id}/gates/{step_id}/approve
|
+-- type: "notification" -> SendNotificationHandlerAPI Routing
Router prefix: /api/v1/playbooks — Tag: playbooks
Templates
GET/templatesList playbook templates (optional category filter)
GET/templates/{template_id}Get template detail
POST/templates/{template_id}/instantiateCreate playbook from template
Metrics
GET/metricsOverall execution metrics
GET/metrics/topTop playbooks by metric (runs, success)
Executions (Global)
GET/executionsList all executions (filter by playbook, status)
GET/executions/{execution_id}Execution detail with step log
POST/executions/{execution_id}/cancelCancel running/paused execution
POST/executions/{id}/gates/{step_id}/approveApprove/reject approval gate
Builder
POST/buildCreate playbook via visual builder
POST/importImport playbook from JSON
POST/validateValidate playbook definition
CRUD
GET/List playbooks (filter by enabled)
GET/{playbook_id}Detail with recent executions
POST/Create playbook
PUT/{playbook_id}Full update with version tracking
PATCH/{playbook_id}Partial update
DELETE/{playbook_id}Delete playbook
Versioning & Execution
GET/{playbook_id}/versionsVersion history
POST/{playbook_id}/rollbackRollback to version
POST/{playbook_id}/cloneClone with new name
POST/{playbook_id}/validateValidate by ID
POST/{playbook_id}/exportExport as JSON
POST/{playbook_id}/executeExecute playbook
GET/{playbook_id}/executionsExecution history for playbook
GET/{playbook_id}/metricsPer-playbook metrics
Prerequisites
- PostgreSQL with
playbooksandplaybook_executionstables (TenantScopedBase) - Pydantic schemas in
app/schemas/playbook.py - Tenant middleware for
request.state.tenant_id - External API keys for live SOAR actions (optional -- dry-run fallback available)
Data Model
File: platform/api/app/models/playbook.py
Playbook
Table: playbooks
| Column | Type | Description |
|---|---|---|
| name | String(255) | Playbook name |
| description | Text | Description |
| trigger_type | Enum (manual, alert_severity, incident_type, scheduled, alert_created, webhook) | Trigger type |
| trigger_conditions | JSON | Trigger conditions (severity, alert_type, source) |
| steps | JSON | Ordered step definitions (action, condition, parallel, gate) |
| enabled | Boolean | Active flag |
| tags | JSON | Tags array |
| severity_filter | JSON | Applicable severity levels |
| version | Integer | Current version number |
| version_history | JSON | Array of previous versions |
PlaybookExecution
Table: playbook_executions
| Column | Type | Description |
|---|---|---|
| playbook_id | FK → playbooks | Parent playbook |
| trigger_event | JSON | Alert/event that triggered execution |
| status | Enum (pending, running, completed, failed, paused, cancelled) | Execution lifecycle status |
| started_at | DateTime | Execution start time |
| completed_at | DateTime | Execution end time |
| results | JSON | Step-by-step results with status, duration_ms, output |
| executed_by | String(36) | User or "system" |
| dry_run | Boolean | Dry-run flag |
UI Description
File: platform/frontend/src/app/playbooks/page.tsx
- Playbook List -- Filterable card grid showing name, trigger type, tags, enabled/disabled toggle, step count, last execution
- Execution History -- Timeline view with step-by-step results, duration per step, status badges (completed/failed/paused), approval gate indicators
- Template Gallery -- Browse 10+ pre-built templates by category, one-click instantiation with customization modal
- Builder View -- Step editor with action type selector, configuration forms, condition builder, parallel group nesting
- Metrics Dashboard -- Overall and per-playbook metrics: total runs, success rate, avg duration, top playbooks chart