Skip to main content

Automation ManagementAutomation Management Guide

Create an Automation Management Playbook

Create a playbook to automate complex, manual, or repetitive tasks.

  1. Click + New Playbook.

  2. In New Playbook Name, enter a playbook name.

  3. Under Trigger, define the playbook trigger:

    1. Click Select object, then select a trigger object: Alert or Case.

    2. Click Select trigger, then select the situation that occurs to the trigger object: is created or is modified.

  4. Under Condition, define what conditions the trigger object must satisfy for the playbook to execute.

    1. Click Select object, then select a trigger object attribute.

    2. Click Select condition, then select an operator from the list. Depending on the operator you select, you may need to enter or select a value.

    3. (Optional) To add additional condition properties, click threatcenter-detectiongroupingrule-createrule-add.png. The trigger object must meet all properties for the condition to be satisfied.

    4. (Optional) To add additional conditions, click + Condition, then define another set of conditions.

      If you add multiple conditions, you must define which of these conditions the trigger object must satisfy for the playbook to execute: if the trigger object must match all conditions for the playbook to execute, click Match All; if the trigger object can match any condition for the playbook to execute, click Match Any.

  5. Under Action, define actions the playbook executes after it's triggered and meets the conditions you defined. You can use each action only once. Click Select action, then select an action:

    • Change Priority to – Change the trigger object priority. Click Select field, then select the new priority.

    • Add to Use Cases – Add an associated Exabeam use case to the trigger object. Click Select field, then select an Exabeam use case.

    • Add to Tags – Add a tag to the trigger object. Click Select field, then select a tag.

    • Add to MITRE – Add an associated MITRE ATT&CK® tactic and technique to the trigger object. Click Select field, then select an ATT&CK tactic and technique.[1]

    • Escalate to a case – If the trigger object is an alert, create a case from the alert. Select at least one attribute the resulting case contains:

      • and stage to – Assign the case to a case stage. Click Select field, then select a case stage. If you select, Closed, in the text box, enter the reason why you're closing the case. By default, the reason entered is Closed via Automation.

        If you don't assign the case to a stage, it's assigned the first stage in your response workflow by default.

      • and assign to – Assign the case to a user. Click Add up to 1 values... then select a user. You should select a user who is a member of the queue you select in the Escalate to a case > and queue to action. If you assign the case to an user who is not a queue member, the assignee is automatically changed to Unassigned in the resulting case.

        If you don't assign the case to a user, it's Unassigned by default.

      • and queue to – Assign the case to a queue. Click Add up to 1 values... then select a queue.

        If you assign a case to a queue and the assignee you select in the Escalate to a case > and assign to action is not a queue member, the assignee is automatically changed to Unassigned in the resulting case.

        If you don't assign the case to a queue, it's assigned to the Tier 1 pre-built queue by default.

    • Send all threat details via emailSend case or alert information to email. Click Select field, then select up to five email addresses.

    • Send all threat details via webhookSend case or alert information to webhooks. Click Select field, then select webhooks of interest.

    To add additional actions, click threatcenter-detectiongroupingrule-createrule-add.png. The playbook executes all defined actions.

  6. Click Save.




[1] MITRE ATT&CK and ATT&CK are trademarks of The MITRE Corporation ("MITRE"). Exabeam is not affiliated with or sponsored or endorsed by MITRE. Nothing herein is a representation of the views or opinions of MITRE or its personnel.