Creating and managing branching playbooks in Cydarm with CACAO

Create more complex workflows with a branching CACAO playbook. CACAO playbooks can be useful for managing scenarios where there may be different workflows required depending on what is discovered along the course of the investigation.

 

You can use CACAO playbooks in your Cydarm instance by either uploading existing playbooks in a JSON format via our Playbooks screen (using the Upload Playbook or Action button) or by creating new ones using our Roaster integration.

 

To create and edit a CACAO playbook, you must be in the user and playbook editor ACL groups.

 

Cydarm includes a Roaster integration in every stack. Roaster is an open source visual editor for CACAO playbooks, and is the easiest way to get started with this workflow. 

 

To start, go to the Playbooks screen and click the Create new branching (CACAO) playbook. This will open the Roaster editor.

 

By default, new playbooks are created with the name Playbook Name. To change this, click on Metadata in the top toolbar, and edit the Name field. You can also add an optional description. 

 

CACAO playbooks must be valid in order to be published correctly. Errors are displayed in the bottom left corner as you edit. Clicking on this warning will show more details about what is required to validate the playbook. 

 

For a more detailed list of requirements to validate a CACAO playbook for publication, see the CACAO spec.

 

You can store drafts as you edit a playbook. Playbooks that are draft only (i.e. have never been published) are shown by the Draft label in the playbook list. These playbooks won’t be previewed, but instead will display an Edit in Roaster button. Playbooks can be visually displayed within Roaster.

 

Updated drafts of already published CACAO playbooks can also be stored. When clicking on the playbook in the playbook list, the visual preview will always show the active published version. If there is a more recent draft than the active published version, a Draft in progress label will appear in the top right within the playbook view. Opening the Roaster editor will open this latest draft. 

 

Important notes

• Draft saving: Playbooks drafts do not save automatically. Please remember to click the Save draft button to preserve your progress while editing. 
• Single draft storage: Only one draft version of each playbook can be stored at a time. If you need to save multiple drafts of a particular, use the Export to file feature in Roaster to save draft copies offline. 
• Playbook status indicator: Currently, the playbook status indicator may not accurately reflect "completed" steps for CACAO. This feature will be addressed in a future release.