Incident ResponderGet Started With Incident Responder

Playbooks

Automate your tasks, immediately neutralize attacks, and mitigate damages with Exabeam playbooks.

A playbook is a standard, repeatable sequence of actions that responds to specific incident types, like phishing or malware, based on your best practices. It automates your workflow and completes complex, manual, and repetitive tasks so you quickly identify and address incidents.

You design a logic flow that triggers the playbook under certain conditions. Then, the playbook automatically runs the relevant responses. You make workflows semi-automated so it runs at the push of a button, or fully automated so it runs without any human intervention.Manually Run a Playbook

You manage a playbook and track its history in an incident's workbench.The Workbench

Playbook Terminology

Define all the terms you encounter when dealing with playbooks.

Action

A scripted task to call a third-party API service and gather data, executed manually or automatically using playbooks. For example: retrieve the reputation information for a given URL or search emails by sender.Manually Run an Action

You use action nodes in playbooks. It has an inbound port on the left and an outbound on the right.

An Example playbook with a start node linked to a New Action Node linked to a decision node; the New Action node is highlighted with a red rectangle.
Decision

A node that indicates a boolean (if/else) decision. It has one inbound node on the left, an if/true node on the right, and else/false nodes on the top and bottom.

An Example playbook with a start node linked to a New Action Node, linked to a decision node; the decision node is highlighted with a red rectangle.
Input

Data passed from one node to another; data from a Case Manager incident, entity, or artifact.

Node

The fundamental building blocks of playbooks. Each one represents an action, decision, start, or end.

An Example playbook with a start node that connects to a New Action Node, that connects to a decision node; these and the end node are highlighted with red rectangles.
Operator

Compares operands and returns a logical value if the comparison is true. Operands may be numerical, string, logical, or object values. Strings are compared based on standard lexicographical ordering, using Unicode values.

Port

Each node has at least one inbound port and one outbound port that connects it to another node (except the start node and end node). An inbound port receives data from another note, and an outbound node sends data.

An Example playbook with a start node linked to a New Action Node, linked to a decision node; the New Action Node inbound and outbound ports are highlighted with red circles.
Service

A third-party product or vendor you integrate with Incident Responder to run actions and playbooks. For example: Cisco Threatgrid, Palo Alto Networks Wildfire. You interact with multiple instances of a service from within Incident Responder. Information about a service, like how to connect to it and which actions are defined, is stored in the Incident Responder server.

Playbook Triggers

Automatically run playbooks using triggers.

Playbooks run automatically if you prescribe it to run under a certain circumstance and that circumstance happens. This circumstance is called a trigger. There are three circumstances that trigger a playbook:Create a Playbook Trigger

  • Incident Created – When you create a new incident.

  • Status Changed – When you change the the state of an incident.

  • Priority Changed – When you change the priority of an incident.

If you've already created an incident manually and the details match the conditions of a playbook trigger, the playbook will not trigger automatically.