- Incident Responder Release Notes
- Get Started with Incident Responder
- Configure Incident Responder Settings
- Core Settings
- Analytics Settings
- Configure Services
- Prerequisites for Configuring Incident Responder Microsoft Services with OAuth2.0 Authentication
- Configure the Amazon Elastic Compute Cloud (EC2) Service
- Configure the Anomali ThreatStream API Service
- Configure the Atlassian Jira Service
- Configure the BMC Remedy Service
- Configure the Check Point Firewall Service
- Configure the Cisco AMP for Endpoints Service
- Configure the Cisco Services Engine (ISE) Service
- Configure the Cisco Threat Grid Service
- Configure the Cisco Umbrella Enforcement Service
- Configure the Cisco Umbrella Investigate Service
- Configure the CrowdStrike Falcon Host API Service Service
- Configure the CrowdStrike Falcon Host API Service Service
- Configure the CyberArk Service
- Configure the Cylance Protect Service
- Configure the Exabeam Advanced Analytics Service
- Configure the Exabeam Cloud Search Service
- Configure the Exabeam DL Service
- Configure the FireEye HX Service
- Configure the Fortinet Service
- Configure the Google Gmail Service
- Configure the IntSights Cyber Intelligence Ltd. Service
- Configure the IRNotificationSMTPService Service
- Configure the Microsoft Active Directory (AD) (Latest) Service
- Configure the Microsoft Exchange Service
- Configure the Microsoft Outlook Office 365 Service
- Configure the Microsoft Windows Defender ATP Service
- Configure the Microsoft Windows Management Instrumentation Service
- Configure the Netskope Service
- Configure the Okta Service
- Configure the Palo Alto Networks Firewall Service
- Configure the Palo Alto Networks Wildfire Service
- Configure the Rapid7 insightVM Service
- Configure the SentinelOne Service
- Configure the SentinelOneV2 Service
- Configure the Service Now Service
- Configure the Slack Service
- Configure the SlashNext Service
- Configure the Splunk Service
- Configure the ThreatConnect API Service
- Configure the Urlscan.io API Service
- Configure the VirusTotal Service
- Configure the Zscaler Service
- Test a Service
- Edit a Service
- Disable a Service
- Upload a Custom Service
- Delete a Custom Service
- Create an Email Template for the Notify by Email Action
- Respond to Security Incidents
Create a Playbook
Create a playbook to automate your workflow, and respond more quickly and efficiently to attacks.
You can create your own playbook only if you're assigned an Incident Responder seat. If you aren't assigned an Incident Responder seat, you can only use turnkey playbooks.
Ensure you're familiar with the logic of compound, relational, and conditional operators.
In the sidebar, click PLAYBOOKS
.Click Add a new playbook
.Enter information about the playbook:
Playbook template – Choose a template from the list. To create an empty playbook, select New Playbook.
Name – Give your playbook a unique name.
(Optional) Description – Describe your playbook, what it does, and when it should be used.
Click Create. The playbook contains a start node and end node. If you selected a template, the playbook contains other nodes based on the template.
Define the logic of your playbook: add a node, and configure action, decision, or filter nodes. As you design your playbook, keep in mind:
All nodes must be linked in some way to the start and end node; otherwise, you can't run the playbook.
You can only use the output from the previous node as an input for the next node.
You can use the output of one node in another only if the latter node takes in data of the same type. For example, if one node outputs a list of URLs, you can't link it to a node that takes in a list of IP addresses.
You must configure all necessary input fields for a given node. If you haven't configured one or more necessary fields, the node is outlined in red.
You can run up to 80 action nodes simultaneously.
Click Save
. You may save your playbook at any time, but if it contains an error, it won't run and is disabled by default. Your playbook appears in the list on the PLAYBOOKS page.