Incident ResponderRespond to Security Incidents

Create a Playbook

Create a playbook to automate your workflow, and respond more quickly and efficiently to attacks.

  1. Ensure you're familiar with the logic of compound, relational, and conditional operators.

  2. Navigate to the PLAYBOOKS page.

  3. Click Add a new playbook A blue circle with a white plus sign..

  4. Enter information about the playbook:

    • Playbook template – Choose a template from the list. To create an empty playbook, select New Playbook.

    • Name – Give your playbook a unique name.

    • (Optional) Description – Describe your playbook, what it does, and when it should be used.

  5. Click Create. The playbook contains a start node and end node. If you selected a template, the playbook contains other nodes based on the template.

  6. Define the logic of your playbook: add a node, and configure action, decision, or filter nodes. As you design your playbook, keep in mind:

    • All nodes must be linked in some way to the start and end node. If not, you can't run the playbook.

    • You can only use the output from the previous node as an input for the next node.

    • You can use the output of one node in another only if the latter node takes in data of the same type. For example, if one node outputs a list of URLs, you can't link it to a node that takes in a list of IP addresses.

    • You must configure all necessary input fields for a given node. If you haven't configured one or more necessary fields, the node is outlined in red.

  7. Select Save A grey circle with a floppy disk in the middle.. You may save your playbook at any time, but if it contains an error, it won't run and is disabled by default. Your playbook appears in the list on the PLAYBOOKS page.

Add a Node

When you create or edit a playbook, add nodes to define or change its logic.

  1. Click on the outbound port of the existing node you are connecting to the new node.

  2. Click anywhere in the interface.

  3. To add an action node, select ACTION. To add a decision node, select DECISION. To add a filter node, select FILTER.Add an Action Node

Add an Action Node

When you create a playbook, you add action, decision, and filter nodes. Add an action node to call and use the results from a service.

  1. From a node, add another node, then select ACTION.

  2. Select a Service. These services are available for you to use; they either come out-of-the-box or have been configured by your organization. You might find the descriptions helpful in choosing the appropriate service to use.

  3. Select the action type the node performs.

  4. Select an input source. You can select between the fields, entities, or artifacts in the incident or the output from a previous node.

  5. To close the panel, click anywhere in the interface. If there is a red border around the node, you have not configured one or more necessary fields.

Add a Decision Node

When you create a playbook, you create action, decision, and filter nodes. Create a decision node to make a boolean (if/else) decision.

A decision node evaluates whether the input is true or false. Based on this evaluation, the next node in the playbook executes an action.

  1. From the node you wish to make a decision on, add a node and select DECISION. If you add the node straight from the start node, it operates on all the fields and raw data in the incident.

  2. Select an input source. You can select between the fields, entities, or artifacts in the incident or the output from a previous node.

  3. Select an operator:

  4. (Optional) If relevant, enter or select a value.

  5. Click SAVE.

  6. (Optional) Add additional conditions to the decision node.

    • To add an or condition, select +OR.

    • To add an and condition, select +AND.

  7. From the decision node's outbound ports, add a node that executes depending on how the input was evaluated:

    • To execute a node if the input is evaluated as true, add a node from the outbound port on the side.

    • To execute a node if the input is evaluated as false, add a node from the top or bottom outbound ports.

  8. To close the panel, click anywhere in the interface. If there is a red border around the node, you have not configured one or more necessary fields.

Add a Filter Node

When you create a playbook, you add action, decision, and filter nodes. Add a filter node to narrow down multiple input values to a specific subset.

You use a filter node to filter out a subset of the input source, based on conditions you specify when you configure the node. The filter node outputs the remaining subset and passes it on to the next node. The next node only evaluates this remaining subset. For example, you can use a filter node to remove:

  • Normal domains, so the next node evaluates malicious domains only.

  • Allow listed URLs, so the next node evaluates block listed URLs only.

  • Email attachments with a risk score below 90, so the next node evaluates attachments with a risk score above 90 only.

  • IP addresses from other countries, so the next node evaluates IP addresses from a specific country only.

To evaluate a single value, add a decision node.

  1. From one node, add another node, then select FILTER.

  2. Select an input source. You can select between the fields, entities, or artifacts in the incident or the output from a previous node.

  3. Select an operator:

  4. (Optional) If relevant, enter or select a value.

  5. Click SAVE.

  6. (Optional) Add an additional condition to the filter node. You can't use both in one filter node; you must choose one or the other.

    • To add an or condition, select +OR.

    • To add an and condition, select +AND.

    • To change a condition from one to the other, select the down arrow next to it, then select the appropriate condition.

  7. To close the panel, click anywhere in the interface. If there is a red border around the node, you have not configured one or more necessary fields.