Incident ResponderRespond to Security Incidents

Turnkey Playbooks

Fully pre-configured turnkey playbooks are ready to run out of the box.

Turnkey playbooks are pre-configured playbooks that are ready for you to run, without having to purchase additional services to get the actions you need.Playbooks

They are listed along other playbooks you created on the PLAYBOOKS page. Like a playbook you created yourself, you can run them manually or automatically with a playbook trigger.Playbook TriggersPlaybook Triggers

These playbooks use services that are available out-of-the-box and free to use, including Exabeam Case Manager, Exabeam AA Default, Exabeam Actions, and Yara.

There are five turnkey playbooks:

You can modify turnkey playbooks to customize them to your needs.

Threat Intelligence Reputation Lookup Turnkey Playbook

Analyze and triage suspicious emails and change an incident's priority with the Threat Intelligence Reputation Lookup turnkey playbook.

The Threat Intelligence Reputation Lookup turnkey playbook helps you analyze and triage suspicious emails, like potential spam and phishing emails. It changes a Case Manager incident's priority based on the reputation of an email entity and its artifacts.Entity TypesArtifact Types

First, the playbook assesses the reputation of the incident's entities, including:

  • Files attached to the email

  • IP addresses

  • Domains of any URLs in the email body

  • Domain of the sender's email address

If the playbook finds any IP addresses with a malicious reputation, it searches for other incidents that has the same IP address entity or artifact. View the output in the incident's workbench, under IR INCIDENTS WITH IOC.The Workbench

If any entity or artifact has a malicious reputation, the playbook escalates the incident's priority to Critical. If none of the artifacts have a malicious reputation, the playbook de-escalates the incident's priority to Low.

The Threat Intelligence Reputation Lookup turnkey playbook is similar to the Phishing turnkey playbook, but only analyzes entity and artifact reputations and changes an incident's priority and status. To get even more information for your investigation and automate your response to a phishing incident, use the Phishing turnkey playbook instead.

Phishing Turnkey Playbook

Analyze suspicious emails, detonate malicious email attachments, and change an incident's priority and status with the Phishing turnkey playbook.Turnkey Playbooks

The Phishing turnkey playbook helps you analyze, triage, and respond to suspicious emails, like potential spam and phishing emails. It changes a Case Manager incident's priority based on the reputation of the evidence. It also gathers information about the email recipient from Advanced Analytics and detonates any malicious files in a sandbox.

First, the playbook assesses the reputation of the incident's entities and other evidence, including:

  • Files attached to the email

  • IP addresses

  • Domains of any URLs in the email body

  • Domain of the sender's email address

If the playbook finds any entity with a malicious reputation, it searches for other incidents with the same entity. View the output in the incident's workbench, under IR INCIDENTS WITH IOC. Then, it escalates the incident's priority to Critical. If the playbook doesn't find any entity with a malicious reputation, it changes the incident's priority to Low.The Workbench

From Advanced Analytics, the playbook retrieves the email recipient's risk score, top device, and other additional contextual information about the recipient. View the output in the incident's workbench, under GET USER RISK SCORES – EXABEAM AA DEFAULT, GET TOP DEVICE FOR USER - EXABEAM AA DEFAULT, and GET USER INFORMATION – EXABEAM AA DEFAULT.

If the playbook finds any files with malicious reputation, it detonates the file in a sandbox.

Keep in mind that you may input only a limited number of files, URLs, or other entities and artifacts to Exabeam Action's Sandbox by Detonate action per day, up to Exabeam's sole discretion. Exabeam throttles your inputs to prevent internal services from overloading and to ensure all Exabeam users can access the action. The exact number of entities and artifacts you can input varies per day.

The Phishing turnkey playbook is similar to the Threat Intelligence Reputation Lookup turnkey playbook, but also includes additional actions for gathering Advanced Analytics data and detonating malicious files. To quickly assess and view the reputation of an incident's entities and artifacts, run the Threat Intelligence Reputation Lookup turnkey playbook instead.

Malware Turnkey Playbook

Analyze suspicious files and detonate potential malware with the Malware turnkey playbook.Turnkey Playbooks

The Malware turnkey playbook helps you analyze, triage, and detonate suspicious files that may be potential malware. Depending on the reputation of the file entities and their related hashes, it changes the incident's priority and comments on the incident.

First, the playbook gathers the file entities and artifacts from an incident. Then, it scans and assesses the reputation of the files, and detonates them in a sandbox. It also the assesses the reputation of any associated MD5, SHA1, and SHA256 hashes. View the output in the workbench under SCAN FILE – YARA.The Workbench

If any file entities, artifacts, or hashes have malicious reputation, it changes the incident's priority to Critical and comments on the incident, Exabeam Actions detected at least one malicious file on this incident. As a result, the priority has been raised to critical. If none of the files, entities, and hashes have a malicious reputation, it changes the incident's priority to Low and comments on the incident, Exabeam Actions didn't detect malicious files on this incident. As a result, the priority has been changed to low.

If the associated hashes have a malicious reputation, the playbook searches for other incidents with the same hashes. View the output in the workbench, under IR INCIDENTS WITH IOC.

If you configured any third-party services, you can customize the Malware turnkey playbook and make it more robust. For example, if your incident doesn't have a file entity or artifact, you can use a Get File action to retrieve a file from another data source. You can also take further action on the malware; for example, using Okta's Suspend User action, CarbonBlack Response's or FireEye's Isolate (Contain) Host action, CiscoAMP's Isolate Host action, or Quarantine Host action from various services.

Keep in mind that you may input only a limited number of files, URLs, or other entities and artifacts to Exabeam Action's Sandbox by Detonate action per day, up to Exabeam's sole discretion. Exabeam throttles your inputs to prevent internal services from overloading and to ensure all Exabeam users can access the action. The exact number of entities and artifacts you can input varies per day.

Automated Incident Classification Turnkey Playbook

Classify Behavior Analytics incidents into the correct incident type with the Automated Incident Classification turnkey playbook.Incident TypesTurnkey Playbooks

When an Advanced Analytics user or asset session becomes notable, Case Manager automatically creates an incident with the Behavior Analytics incident type. The Automated Incident Classification turnkey playbook analyzes session to accurately change the incident's type, helping you make sense of all the evidence in Advanced Analytics and quickly diagnose what threat you're investigating. It's important that incidents have the correct incident type so you standardize the evidence you collect and define tasks for investigating, containing, and remediating the incident.

First, the playbook retrieves the Exabeam Threat Detection, Investigation, and Response (TDIR) Use Case Packages rule tags associated with session's triggered rules. View the output in the workbench, under GET RULE LABELS – EXABEAM AA DEFAULT.Model and Rule Attributes Definitions

Depending on the rule tag, the playbook adds an incident type.

If the session is associated with any of these rule tags:

The playbook adds this incident type to the incident:

  • 3rd Party Security Alerts

  • Abnormal Application Access

  • Abnormal Authentication & Access

  • Abnormal Database Access

  • Abnormal File Access

  • Abnormal VPN Access

  • Abnormal Web Access

  • Compromised Asset

  • Compromised Service Account

  • Credential Theft

Compromised Credentials Compromised Credentials Incident Type

  • Abnormal Network Connections

  • Abnormal Remote Access

  • Pass the Hash

  • Pass the Ticket

Lateral Movement Lateral Movement Incident Type

  • Account Switch

  • Bypass Access Controls

  • Discovery

  • DLL Hijacking and Side Loading

  • Permission Changes

Privilege Escalation Privilege Escalation Incident Type

  • Activity on Domain Controllers

  • Disabled Account Activity

  • Executive Account Activity

  • Privileged Account Activity

  • Privileged Asset Activity

  • Privileged Process Execution

Privileged Activity Privileged Activity Incident Type

  • Abnormal Account Management Activity

  • Abnormal Directory Services Activity

  • Account Creation Activity

  • Account Deletion Activity

  • Membership and Permission Modifications

  • System Account Activity

Account Manipulation Account Manipulation Incident Type

  • Data Exfiltration

  • Data Exfiltration via DNS

  • Data Exfiltration via Web

Data Exfiltration Data Exfiltration Incident Type

  • Audit Tampering

  • Destruction of File Data

  • Evasion

Evasion Evasion Incident Type

  • Data Leak

  • Data Leak via Email

  • Data Leak via Printer

  • Data Leak via Removable Device

  • Data Leak via Web

Data Leak Data Leak Incident Type

  • Access to Application Data

  • Access to File Data

  • Database Activity Monitoring

Data Access Abuse Data Access Abuse Incident Type

  • Account Manipulation

  • Disabled Account Abuse

  • Executive Account Abuse

  • Privilege Abuse

  • Privileged Account Abuse

  • Privileged Asset Abuse

  • Service Account Abuse

Privilege Abuse Privilege Abuse Incident Type

Audit Log Manipulation

Audit Tampering Audit Tampering Incident Type

Data Deletion

Destruction of Data Destruction of Data Incident Type

Access to Physical Space

Physical Security Physical Security Incident Type

  • Remote Workforce

  • Risk of Attrition

  • Spam

Workforce Protection Workforce Protection Incident Type

Abnormal User Activity

Abnormal Authentication and Access Abnormal Authentication and Access Incident Type

Brute Force Attack

Brute Force Attack Brute Force Attack Incident Type

Cryptomining

Cryptomining Cryptomining Incident Type

Malware

Malware Malware Incident Type

Phishing

Phishing Phishing Incident Type

Ransomware

Ransomware Ransomware Incident Type

View which incident type was added in the workbench, under MODIFY INCIDENT TYPE – INTERNAL or under the Incident Type incident field.