Cloud-delivered Incident ResponderIncident Responder

Table of Contents

Respond to Security Incidents

Use Incident Responder to respond to security incidents. Run pre-configured turnkey playbooks that are ready out of the box. Create you own custom playbook that fits your specific needs and consider using templates to get started quickly. Run playbooks automatically using triggers or manually from an incident's workbench.

  • Turnkey PlaybooksTurnkey Playbooks

    Fully pre-configured turnkey playbooks are ready to run out of the box.

  • Create a PlaybookCreate a Playbook

    Create a playbook to automate your workflow, and respond more quickly and efficiently to attacks.

  • Playbook TemplatesPlaybook Templates

    If you don't want to create a playbook from scratch, use a template. These templates come out-of-the-box or you can import your own from an existing playbook.

  • Create a Playbook Trigger

    For a playbook to run automatically, define which circumstances and conditions trigger the playbook. You define a playbook trigger from the PLAYBOOKS page, or when you create or edit a playbook.

  • Manually Run an Action

    Instead of automating an action using a playbook, run an action manually on an incident from its workbench.The Workbench

  • Manually Run a Playbook

    Instead of triggering a playbook with a certain scenario, run a playbook manually on a specific incident from its workbench.The Workbench

  • Clear an Incident's Playbook and Action Outputs

    In the workbench, the outputs of all the playbook and actions you've ever run accumulate so it's hard to tell what's most recent. Clean up your workbench and only display the latest results.The Workbench

Turnkey Playbooks

Fully pre-configured turnkey playbooks are ready to run out of the box.

Turnkey playbooks are pre-configured playbooks that are ready for you to run, without having to purchase additional services to get the actions you need. If you have a Fusion license, you can run all turnkey playbooks, even without an Incident Responder add-on.Fusion Licenses

Turnkey playbooks are listed along other playbooks you created on the PLAYBOOKS page. Like a playbook you created yourself, you can run them manually or automatically with a playbook trigger. If you have a Fusion license, you must have an Incident Responder add-on to add triggers to turnkey playbooks.

Turnkey playbooks use out-of-the-box services that are free to use, including Exabeam Case Manager, Exabeam AA Default, Exabeam Actions, and Yara.

There are five turnkey playbooks:

You can modify turnkey playbooks to customize them to your needs. If you have a Fusion license, you must have an Incident Responder add-on to modify turnkey playbooks.

Threat Intelligence Reputation Lookup Turnkey Playbook

Analyze and triage suspicious emails and change an incident's priority with the Threat Intelligence Reputation Lookup turnkey playbook.

The Threat Intelligence Reputation Lookup turnkey playbook helps you analyze and triage suspicious emails, like potential spam and phishing emails. It changes a Case Manager incident's priority based on the reputation of an email entity and its artifacts.Entity TypesArtifact Types

First, the playbook assesses the reputation of the incident's entities, including:

  • Files attached to the email

  • IP addresses

  • Domains of any URLs in the email body

  • Domain of the sender's email address

If the playbook finds any IP addresses with a malicious reputation, it searches for other incidents that has the same IP address entity or artifact. View the output in the incident's workbench, under IR INCIDENTS WITH IOC.The Workbench

If any entity or artifact has a malicious reputation, the playbook escalates the incident's priority to Critical. If none of the artifacts have a malicious reputation, the playbook de-escalates the incident's priority to Low.

The Threat Intelligence Reputation Lookup turnkey playbook is similar to the Phishing turnkey playbook, but only analyzes entity and artifact reputations and changes an incident's priority and status. To get even more information for your investigation and automate your response to a phishing incident, use the Phishing turnkey playbook instead.

Phishing Turnkey Playbook

Analyze suspicious emails, detonate malicious email attachments, and change an incident's priority and status with the Phishing turnkey playbook.Turnkey Playbooks

The Phishing turnkey playbook helps you analyze, triage, and respond to suspicious emails, like potential spam and phishing emails. It changes a Case Manager incident's priority based on the reputation of the evidence. It also gathers information about the email recipient from Advanced Analytics and detonates any malicious files in a sandbox.

First, the playbook assesses the reputation of the incident's entities and other evidence, including:

  • Files attached to the email

  • IP addresses

  • Domains of any URLs in the email body

  • Domain of the sender's email address

If the playbook finds any entity with a malicious reputation, it searches for other incidents with the same entity. View the output in the incident's workbench, under IR INCIDENTS WITH IOC. Then, it escalates the incident's priority to Critical. If the playbook doesn't find any entity with a malicious reputation, it changes the incident's priority to Low.The WorkbenchThe Workbench

From Advanced Analytics, the playbook retrieves the email recipient's risk score, top device, and other additional contextual information about the recipient. View the output in the incident's workbench, under GET USER RISK SCORES – EXABEAM AA DEFAULT, GET TOP DEVICE FOR USER - EXABEAM AA DEFAULT, and GET USER INFORMATION – EXABEAM AA DEFAULT.

If the playbook finds any files with malicious reputation, it detonates the file in a sandbox.

Keep in mind that you may input only a limited number of files, URLs, or other entities and artifacts to Exabeam Action's Sandbox by Detonate action per day, up to Exabeam's sole discretion. Exabeam throttles your inputs to prevent internal services from overloading and to ensure all Exabeam users can access the action. The exact number of entities and artifacts you can input varies per day.

The Phishing turnkey playbook is similar to the Threat Intelligence Reputation Lookup turnkey playbook, but also includes additional actions for gathering Advanced Analytics data and detonating malicious files. To quickly assess and view the reputation of an incident's entities and artifacts, run the Threat Intelligence Reputation Lookup turnkey playbook instead.

Malware Turnkey Playbook

Analyze suspicious files and detonate potential malware with the Malware turnkey playbook.Turnkey Playbooks

The Malware turnkey playbook helps you analyze, triage, and detonate suspicious files that may be potential malware. Depending on the reputation of the file entities and their related hashes, it changes the incident's priority and comments on the incident.

First, the playbook gathers the file entities and artifacts from an incident. Then, it scans and assesses the reputation of the files, and detonates them in a sandbox. It also the assesses the reputation of any associated MD5, SHA1, and SHA256 hashes. View the output in the workbench under SCAN FILE – YARA.The WorkbenchThe Workbench

If any file entities, artifacts, or hashes have malicious reputation, it changes the incident's priority to Critical and comments on the incident, Exabeam Actions detected at least one malicious file on this incident. As a result, the priority has been raised to critical. If none of the files, entities, and hashes have a malicious reputation, it changes the incident's priority to Low and comments on the incident, Exabeam Actions didn't detect malicious files on this incident. As a result, the priority has been changed to low.

If the associated hashes have a malicious reputation, the playbook searches for other incidents with the same hashes. View the output in the workbench, under IR INCIDENTS WITH IOC.

If you configured any third-party services, you can customize the Malware turnkey playbook and make it more robust. For example, if your incident doesn't have a file entity or artifact, you can use a Get File action to retrieve a file from another data source. You can also take further action on the malware; for example, using Okta's Suspend User action, CarbonBlack Response's or FireEye's Isolate (Contain) Host action, CiscoAMP's Isolate Host action, or Quarantine Host action from various services.

Keep in mind that you may input only a limited number of files, URLs, or other entities and artifacts to Exabeam Action's Sandbox by Detonate action per day, up to Exabeam's sole discretion. Exabeam throttles your inputs to prevent internal services from overloading and to ensure all Exabeam users can access the action. The exact number of entities and artifacts you can input varies per day.

Automated Incident Classification Turnkey Playbook

Classify Behavior Analytics incidents into the correct incident type with the Automated Incident Classification turnkey playbook.Incident Types

When an Advanced Analytics user or asset session becomes notable, Case Manager automatically creates an incident with the Behavior Analytics incident type. The Automated Incident Classification turnkey playbook analyzes session to accurately change the incident's type, helping you make sense of all the evidence in Advanced Analytics and quickly diagnose what threat you're investigating. It's important that incidents have the correct incident type so you standardize the evidence you collect and define tasks for investigating, containing, and remediating the incident.

First, the playbook retrieves the Exabeam Threat Detection, Investigation, and Response (TDIR) Use Case Packages rule tags associated with session's triggered rules. View the output in the workbench, under GET RULE LABELS – EXABEAM AA DEFAULT.Model and Rule Attributes Definitions

Depending on the rule tag, the playbook adds an incident type.

If the session is associated with any of these rule tags:

The playbook adds this incident type to the incident:

  • 3rd Party Security Alerts

  • Abnormal Application Access

  • Abnormal Authentication & Access

  • Abnormal Database Access

  • Abnormal File Access

  • Abnormal VPN Access

  • Abnormal Web Access

  • Compromised Asset

  • Compromised Service Account

  • Credential Theft

Compromised CredentialsCompromised Credentials Incident Type

  • Abnormal Network Connections

  • Abnormal Remote Access

  • Pass the Hash

  • Pass the Ticket

Lateral MovementLateral Movement Incident Type

  • Account Switch

  • Bypass Access Controls

  • Discovery

  • DLL Hijacking and Side Loading

  • Permission Changes

Privilege EscalationPrivilege Escalation Incident Type

  • Activity on Domain Controllers

  • Disabled Account Activity

  • Executive Account Activity

  • Privileged Account Activity

  • Privileged Asset Activity

  • Privileged Process Execution

Privileged ActivityPrivileged Activity Incident Type

  • Abnormal Account Management Activity

  • Abnormal Directory Services Activity

  • Account Creation Activity

  • Account Deletion Activity

  • Membership and Permission Modifications

  • System Account Activity

Account ManipulationAccount Manipulation Incident Type

  • Data Exfiltration

  • Data Exfiltration via DNS

  • Data Exfiltration via Web

Data ExfiltrationData Exfiltration Incident Type

  • Audit Tampering

  • Destruction of File Data

  • Evasion

EvasionEvasion Incident Type

  • Data Leak

  • Data Leak via Email

  • Data Leak via Printer

  • Data Leak via Removable Device

  • Data Leak via Web

Data LeakData Leak Incident Type

  • Access to Application Data

  • Access to File Data

  • Database Activity Monitoring

Data Access AbuseData Access Abuse Incident Type

  • Account Manipulation

  • Disabled Account Abuse

  • Executive Account Abuse

  • Privilege Abuse

  • Privileged Account Abuse

  • Privileged Asset Abuse

  • Service Account Abuse

Privilege AbusePrivilege Abuse Incident Type

Audit Log Manipulation

Audit TamperingAudit Tampering Incident Type

Data Deletion

Destruction of DataDestruction of Data Incident Type

Access to Physical Space

Physical SecurityPhysical Security Incident Type

  • Remote Workforce

  • Risk of Attrition

  • Spam

Workforce ProtectionWorkforce Protection Incident Type

Abnormal User Activity

Abnormal Authentication and AccessAbnormal Authentication and Access Incident Type

Brute Force Attack

Brute Force AttackBrute Force Attack Incident Type

Cryptomining

CryptominingCryptomining Incident Type

Malware

MalwareMalware Incident Type

Phishing

PhishingPhishing Incident Type

Ransomware

RansomwareRansomware Incident Type

View which incident type was added in the workbench, under MODIFY INCIDENT TYPE – INTERNAL or under the Incident Type incident field.

Automated Incident Enrichment Turnkey Playbook

Gather evidence from an Advanced Analytics session and add them to the corresponding Case Manager incident with the Automated Incident Enrichment turnkey playbook.

When an Advanced Analytics Smart Timeline™ user or asset session becomes notable, Case Manager automatically creates an incident with the Behavior Analytics incident type. The Automated Incident Enrichment turnkey playbook gathers additional contextual or supporting information from the Advanced Analytics session and populates the Case Manager incident so you have everything you need to investigate the incident.Behavior Analytics Incident Type

First, the playbook returns the session's anomalous activity, and gathers evidence to add to the Case Manager incident:

  • The playbook returns the MITRE ATT&CK® tactics and techniques rule tags associated with the session. View the output in the workbench under GET RULE LABELS – EXABEAM AA DEFAULT.Model and Rule Attributes DefinitionsThe Workbench

  • The playbook gathers all the rules triggered during the notable session and other related details, like the rule description, rule category, and associated model name. View the output in the workbench under GET TRIGGERED RULES – EXABEAM AA DEFAULT.

  • The playbook gathers other relevant evidence about the event, including event type, event ID, raw log time, and details about any processes, files, domains, hosts, URLs, or email addresses involved. View the output in the workbench under GET EVENT INFO – EXABEAM AA DEFAULT.

    Then, it adds this evidence to the incident in incident fields, or as entities or artifacts. For example, it adds the destination IP to the incident as an IP artifact. In the workbench, view the information and whether an entity or artifact was created under ADD TO INCIDENT – INTERNAL.Incident FieldsCase Manager EntitiesCase Manager Artifacts

If the incident involves a notable user, the playbook returns the user's past anomalous behavior, including their risk score for every session in the past 14 days and all the rules triggered in the user's sessions in the past 14 days. Then, it collects any additional contextual information about the user and searches for other Case Manager incidents involving the user. View the output in the workbench, including:

  • Risk score for each session in the past 14 days, under GET USER RISK SCORE – EXABEAM AA DEFAULT.

  • All rules triggered in the user's sessions in the past 14 days, under GET TRIGGERED RULES – EXABEAM AA DEFAULT.

  • Additional contextual information about the user, under GET USER INFORMATION – EXABEAM AA DEFAULT.

  • Other Case Manager incidents involving the notable user in the past 14 days, under SEARCH IR INCIDENTS WITH IOC.

If the incident involves a notable asset, the playbook returns the asset's past anomalous behavior, including their risk score for every session in the past 14 days and all the rules triggered in the asset's sessions in the past 14 days. Then, it collects any additional contextual information about the asset and searches for other Case Manager incidents involving the asset. View the output in the workbench, including:

  • Risk score for each session in the past 14 days, under GET ASSET RISK SCORE – EXABEAM AA DEFAULT

  • All rules triggered in the asset's sessions in the past 14 days, under GET ASSET TRIGGERED RULES – EXABEAM AA DEFAULT.

  • Additional contextual information about the asset, under GET ASSET INFORMATION – EXABEAM AA DEFAULT.

  • Other Case Manager incidents involving the same notable asset in the past 14 days, under SEARCH IR INCIDENTS WITH IOC.

Create a Playbook

Create a playbook to automate your workflow, and respond more quickly and efficiently to attacks.

You can create your own playbook only if you're assigned an Incident Responder seat. If you aren't assigned an Incident Responder seat, you can only use turnkey playbooks.

  1. Ensure you're familiar with the logic of compound, relational, and conditional operators.

  2. In the sidebar, click PLAYBOOKSA grey arrow pointing right.

  3. Click Add a new playbookA dark blue plus sign..

  4. Enter information about the playbook:

    • Playbook template – Choose a template from the list. To create an empty playbook, select New Playbook.

    • Name – Give your playbook a unique name.

    • (Optional) Description – Describe your playbook, what it does, and when it should be used.

  5. Click Create. The playbook contains a start node and end node. If you selected a template, the playbook contains other nodes based on the template.

  6. Define the logic of your playbook: add a node, and configure action, decision, or filter nodes. As you design your playbook, keep in mind:

    • All nodes must be linked in some way to the start and end node; otherwise, you can't run the playbook.

    • You can only use the output from the previous node as an input for the next node.

    • You can use the output of one node in another only if the latter node takes in data of the same type. For example, if one node outputs a list of URLs, you can't link it to a node that takes in a list of IP addresses.

    • You must configure all necessary input fields for a given node. If you haven't configured one or more necessary fields, the node is outlined in red.

  7. Click SaveA dark blue floppy disk.. You may save your playbook at any time, but if it contains an error, it won't run and is disabled by default. Your playbook appears in the list on the PLAYBOOKS page.

Add a Node

When you create or edit a playbook, add nodes to define or change its logic.Create a Playbook

  1. Click on the outbound port of the existing node you are connecting to the new node.

  2. Click anywhere in the interface.

  3. To add an action node, select ACTION. To add a decision node, select DECISION. To add filter node, select FILTER.

Add an Action Node

When you create a playbook, you add action, decision, and filter nodes. Add an action node to call and use the results from a service.Create a Playbook

  1. From a node, add another node, then select ACTION.

  2. Select a Service. These services are available for you to use; they either come out-of-the-box or have been configured by your organization. You might find the descriptions helpful in choosing the appropriate service to use.

  3. Select the action type the node performs.

  4. Select an input source. You can select between the fields, entities, or artifacts in the incident or the output from a previous node.

  5. To close the panel, click anywhere in the interface. If there is a red border around the node, you have not configured one or more necessary fields.

Add a Decision Node

When you create a playbook, you create action, decision, and filter nodes. Create a decision node to make a boolean (if/else) decision.Create a Playbook

A decision node evaluates whether the input is true or false. Based on this evaluation, the next node in the playbook executes an action.

  1. From the node you wish to make a decision on, add a node and select DECISION. If you add the node straight from the start node, it operates on all the fields and raw data in the incident.

  2. Select an input source. You can select between the fields, entities, or artifacts in the incident or the output from a previous node.

  3. Select an operator:

    • Equals – Checks if values are equal.

    • Not Equal To – Checks if values are not equal.

    • Contains – Checks if values partially match.

    • Not Contains – Checks if values do not match.

    • Is Empty – Checks if incident field doesn't have an assigned value.

    • Exists – Checks if incident field has an assigned value.

    • Starts With – Checks if string data type starts with a specified value.

    • Not Starts With – Checks if string data type doesn't start with a specified value.

    • Ends With – Checks if string data type ends with a specified value.

    • Not Ends With – Checks if string value doesn't end with a specified value.

    • In – Checks if value is in a specified list.

    • Not In – Checks if value is not in a specified list.

    • Matches – Checks if values match exactly.

    • Not Matches – Checks if values don't match exactly.

    • Greater Than – Checks if value is greater than a specified value.

  4. (Optional) If relevant, enter or select a value.

  5. Click SAVE.

  6. (Optional) Add additional conditions to the decision node.

    • To add an or condition, select +OR.

    • To add an and condition, select +AND.

  7. From the decision node's outbound ports, add a node that executes depending on how the input was evaluated:

    • To execute a node if the input is evaluated as true, add a node from the outbound port on the side.

    • To execute a node if the input is evaluated as false, add a node from the top or bottom outbound ports.

  8. To close the panel, click anywhere in the interface. If there is a red border around the node, you have not configured one or more necessary fields.

Add a Filter Node

When you create a playbook, you add action, decision, and filter nodes. Add a filter node to narrow down multiple input values to a specific subset.Create a Playbook

You use a filter node to filter out a subset of the input source, based on conditions you specify when you configure the node. The filter node outputs the remaining subset and passes it on to the next node. The next node only evaluates this remaining subset. For example, you can use a filter node to remove:

  • Normal domains, so the next node evaluates malicious domains only.

  • Allow listed URLs, so the next node evaluates block listed URLs only.

  • Email attachments with a risk score below 90, so the next node evaluates attachments with a risk score above 90 only.

  • IP addresses from other countries, so the next node evaluates IP addresses from a specific country only.

To evaluate a single value, add a decision node.

  1. From one node, add another node, then select FILTER.

  2. Select an input source. You can select between the fields, entities, or artifacts in the incident or the output from a previous node.

  3. Select an operator:

    • Equals – Checks if values are equal.

    • Not Equal To – Checks if values are not equal.

    • Contains – Checks if values partially match.

    • Not Contains – Checks if values do not match.

    • Is Empty – Checks if incident field doesn't have an assigned value.

    • Exists – Checks if incident field has an assigned value.

    • Starts With – Checks if string data type starts with a specified value.

    • Not Starts With – Checks if string data type doesn't start with a specified value.

    • Ends With – Checks if string data type ends with a specified value.

    • Not Ends With – Checks if string value doesn't end with a specified value.

    • In – Checks if value is in a specified list.

    • Not In – Checks if value is not in a specified list.

    • Matches – Checks if values match exactly.

    • Not Matches – Checks if values don't match exactly.

    • Greater Than – Checks if value is greater than a specified value.

  4. (Optional) If relevant, enter or select a value.

  5. Click SAVE.

  6. (Optional) Add an additional condition to the filter node. You can't use both in one filter node; you must choose one or the other.

    • To add an or condition, select +OR.

    • To add an and condition, select +AND.

    • To change a condition from one to the other, select the down arrow next to it, then select the appropriate condition.

  7. To close the panel, click anywhere in the interface. If there is a red border around the node, you have not configured one or more necessary fields.

Playbook Templates

If you don't want to create a playbook from scratch, use a template. These templates come out-of-the-box or you can import your own from an existing playbook.

Playbook templates are frameworks that are already designed and ready for you to use; you just indicate the service you want to use. You can use playbook templates only if you're assigned an Incident Responder seat.

There are 16 templates available out of the box, including ones for malware and phishing. You can also use turnkey playbooks as templates.

You can't delete these out-of-the-box templates.

To modify a template, export an existing playbook, then import it back into the system as a template. You can also create a new playbook from scratch.

Import a Playbook Template

When you export a playbook, import it back into the system or another system as a template. It can only import as a template, not a playbook.

You can import playbook templates only if you're assigned an Incident Responder seat.

  1. Ensure your template file is in a valid JSON format. If you created and exported the playbook from Incident Responder, it is already in a valid format.

  2. In the sidebar, click PLAYBOOKSA grey arrow pointing right.

  3. Click Import templateA blue horizontal line and arrow pointing up in a blue box..

  4. Click CHOOSE TEMPLATE FILE, then select a valid JSON file to upload.

    The playbook is imported as a template. To use the playbook, create a new playbook using the template.

Phishing Playbook Template

Break down the logic flow of the out-of-the-box phishing playbook template.

The phishing playbook template in the playbook interface.

Phishing emails imitate reputable senders to fool recipients into installing malicious software or revealing personal information.

The phishing playbook sources emails ingested into Case Manager. It checks the reputation of the domain that sent the email; extracts any files, URLs, or links; and checks the reputation of these entities. Then, the playbook checks if the email recipient has any web activity related to the URL.Email IngestEmail Ingest

Based on the sender's email address, the playbook searches for other recipients. If it finds other recipients, the playbook alerts you.

Create a Playbook Trigger

For a playbook to run automatically, define which circumstances and conditions trigger the playbook. You define a playbook trigger from the PLAYBOOKS page, or when you create or edit a playbook.

You can create a playbook trigger only if you're assigned an Incident Responder seat.

If you manually create an incident, playbooks aren't triggered.Manually Create an Incident

  1. In the sidebar, click PLAYBOOKSA grey arrow pointing right, or create or edit a playbook.

  2. Click Add trigger to playbook.:

    • On the PLAYBOOKS page, select the clock A dark blue alarm clock for an existing playbook in the list.

    • If you're creating or editing a playbook, select the clock A blue alarm clock in a blue box..

  3. Click + Trigger.

  4. Select the situation that triggers the playbook:

    • Incident Created – When a playbook triggers and creates an incident.

    • Status Changed – When someone changes an incident's status.

    • Priority Changed – When someone changes an incident's priority.

    • Queue Changed – When someone is assigned to another queue.

    • Assignee Changed – When someone changes who's assigned to an incident.

    • Incident Type Changed – When an incident's type changes, manually or automatically.

  5. To add a condition to the situation, select + Condition. If the situation occurs and the condition is met, the playbook runs. These conditions are based on incident fields, default or custom.Create a Custom Incident Field

  6. (Optional) To add another condition, click + ADD.

  7. Click SAVE.

Manually Run an Action

Instead of automating an action using a playbook, run an action manually on an incident from its workbench.The Workbench

If you aren't assigned an Incident Responder seat, you can only run out-of-the-box actions; you can't run custom actions.

  1. In an incident's workbench, click RUN ACTION.

  2. Select an action from the list and enter the relevant information.

  3. Click LAUNCH.

    If the action runs successfully, it appears in the workbench ACTIONS tab with a A green check mark. check mark, and you see its output in the workbench.

Manually Run a Playbook

Instead of triggering a playbook with a certain scenario, run a playbook manually on a specific incident from its workbench.The Workbench

If you aren't assigned an Incident Responder seat, you can only run turnkey playbooks; you can't run custom playbooks.

  1. In an incident's workbench, click RUN PLAYBOOK.

  2. Select a playbook from the list.

  3. Click LAUNCH.

    If the actions in your playbook run successfully, they appear in the workbench ACTIONS tab with a check mark A green check mark., and you see their outputs in the workbench.

    If your playbook runs successfully, it appears in the workbench PLAYBOOKS tab with a check mark A green check mark..

Clear an Incident's Playbook and Action Outputs

In the workbench, the outputs of all the playbook and actions you've ever run accumulate so it's hard to tell what's most recent. Clean up your workbench and only display the latest results.The Workbench

  1. Ensure that you have Reset Incident Workbench permissions. To request Reset Incident Workbench permissions, contact your Exabeam administrator.

  2. In an incident's workbench, click RESET CARDS. In the workbench and the incident, the playbook and action results clear.