Incident ResponderIncident Responder

Table of Contents

Respond to Security Incidents

Use Incident Responder to respond to security incidents. Run pre-configured turnkey playbooks that are ready out of the box. Create you own custom playbook that fits your specific needs and consider using templates to get started quickly. Run playbooks automatically using triggers or manually from an incident's workbench.

  • Turnkey PlaybooksTurnkey Playbooks

    Fully pre-configured turnkey playbooks are ready to run out of the box.

  • Create a PlaybookCreate a Playbook

    Create a playbook to automate your workflow, and respond more quickly and efficiently to attacks.

  • Playbook TemplatesPlaybook Templates

    If you don't want to create a playbook from scratch, use a template. These templates come out-of-the-box or you can import your own from an existing playbook.

  • Create a Playbook TriggerCreate a Playbook Trigger

    For a playbook to run automatically, define which circumstances and conditions trigger the playbook. You define a playbook trigger from the PLAYBOOKS page, or when you create or edit a playbook.

  • Manually Run an ActionManually Run an Action

    Instead of automating an action using a playbook, run an action manually on an incident from its workbench.The Workbench

  • Manually Run a PlaybookManually Run a Playbook

    Instead of triggering a playbook with a certain scenario, run a playbook manually on a specific incident from its workbench.The Workbench

  • Clear an Incident's Playbook and Action Outputs

    In the workbench, the outputs of all the playbook and actions you've ever run accumulate so it's hard to tell what's most recent. Clean up your workbench and only display the latest results.The Workbench

Turnkey Playbooks

Fully pre-configured turnkey playbooks are ready to run out of the box.

Turnkey playbooks are pre-configured playbooks that are ready for you to run, without having to purchase additional services to get the actions you need.

They are listed along other playbooks you created on the PLAYBOOKS page. Like a playbook you created yourself, you can run them manually or automatically with a playbook trigger.

These playbooks use an in-house service, Exabeam Actions, that is available out-of-the-box and free to use. The service supports basic actions, like, getting the reputations of entities and artifacts, and detonating malicious files and URLs.

There are three turnkey playbooks:

You can modify turnkey playbooks to customize them to your needs.

Threat Intelligence Reputation Lookup Turnkey Playbook

Analyze and triage suspicious emails and change an incident's priority with the Threat Intelligence Reputation Lookup turnkey playbook.

The Threat Intelligence Reputation Lookup turnkey playbook helps you analyze and triage suspicious emails, like potential spam and phishing emails. It changes a Case Manager incident's priority based on the reputation of an email entity and its artifacts.Entity TypesArtifact Types

First, the playbook assesses the reputation of the incident's entities, including:

  • Files attached to the email

  • IP addresses

  • Domains of any URLs in the email body

  • Domain of the sender's email address

If the playbook finds any IP addresses with a malicious reputation, it searches for other incidents that has the same IP address entity or artifact. View the output in the incident's workbench, under IR INCIDENTS WITH IOC.The Workbench

If any entity or artifact has a malicious reputation, the playbook escalates the incident's priority to Critical. If none of the artifacts have a malicious reputation, the playbook de-escalates the incident's priority to Low.

The Threat Intelligence Reputation Lookup turnkey playbook is similar to the Phishing turnkey playbook, but only analyzes entity and artifact reputations and changes an incident's priority and status. To get even more information for your investigation and automate your response to a phishing incident, use the Phishing turnkey playbook instead.

Phishing Turnkey Playbook

Analyze suspicious emails, detonate malicious email attachments, and change an incident's priority and status with the Phishing turnkey playbook.Turnkey Playbooks

The Phishing turnkey playbook helps you analyze, triage, and respond to suspicious emails, like potential spam and phishing emails. It changes a Case Manager incident's priority based on the reputation of the evidence. It also gathers information about the email recipient from Advanced Analytics and detonates any malicious files in a sandbox.

First, the playbook assesses the reputation of the incident's entities and other evidence, including:

  • Files attached to the email

  • IP addresses

  • Domains of any URLs in the email body

  • Domain of the sender's email address

If the playbook finds any entity with a malicious reputation, it searches for other incidents with the same entity. View the output in the incident's workbench, under IR INCIDENTS WITH IOC. Then, it escalates the incident's priority to Critical. If the playbook doesn't find any entity with a malicious reputation, it changes the incident's priority to Low.The WorkbenchThe Workbench

From Advanced Analytics, the playbook retrieves the email recipient's risk score, top device, and other additional contextual information about the recipient. View the output in the incident's workbench, under GET USER RISK SCORES – EXABEAM AA DEFAULT, GET TOP DEVICE FOR USER - EXABEAM AA DEFAULT, and GET USER INFORMATION – EXABEAM AA DEFAULT.

If the playbook finds any files with malicious reputation, it detonates the file in a sandbox.

Keep in mind that you may input only a limited number of files, URLs, or other entities and artifacts to Exabeam Action's Sandbox by Detonate action per day, up to Exabeam's sole discretion. Exabeam throttles your inputs to prevent internal services from overloading and to ensure all Exabeam users can access the action. The exact number of entities and artifacts you can input varies per day.

The Phishing turnkey playbook is similar to the Threat Intelligence Reputation Lookup turnkey playbook, but also includes additional actions for gathering Advanced Analytics data and detonating malicious files. To quickly assess and view the reputation of an incident's entities and artifacts, run the Threat Intelligence Reputation Lookup turnkey playbook instead.

Malware Turnkey Playbook

Analyze suspicious files and detonate potential malware with the Malware turnkey playbook.Turnkey Playbooks

The Malware turnkey playbook helps you analyze, triage, and detonate suspicious files that may be potential malware. Depending on the reputation of the file entities and their related hashes, it changes the incident's priority and comments on the incident.

First, the playbook gathers the file entities and artifacts from an incident. Then, it scans and assesses the reputation of the files, and detonates them in a sandbox. It also the assesses the reputation of any associated MD5, SHA1, and SHA256 hashes. View the output in the workbench under SCAN FILE – YARA.The WorkbenchThe Workbench

If any file entities, artifacts, or hashes have malicious reputation, it changes the incident's priority to Critical and comments on the incident, Exabeam Actions detected at least one malicious file on this incident. As a result, the priority has been raised to critical. If none of the files, entities, and hashes have a malicious reputation, it changes the incident's priority to Low and comments on the incident, Exabeam Actions didn't detect malicious files on this incident. As a result, the priority has been changed to low.

If the associated hashes have a malicious reputation, the playbook searches for other incidents with the same hashes. View the output in the workbench, under IR INCIDENTS WITH IOC.

If you configured any third-party services, you can customize the Malware turnkey playbook and make it more robust. For example, if your incident doesn't have a file entity or artifact, you can use a Get File action to retrieve a file from another data source. You can also take further action on the malware; for example, using Okta's Suspend User action, CarbonBlack Response's or FireEye's Isolate (Contain) Host action, CiscoAMP's Isolate Host action, or Quarantine Host action from various services.

Keep in mind that you may input only a limited number of files, URLs, or other entities and artifacts to Exabeam Action's Sandbox by Detonate action per day, up to Exabeam's sole discretion. Exabeam throttles your inputs to prevent internal services from overloading and to ensure all Exabeam users can access the action. The exact number of entities and artifacts you can input varies per day.

Create a Playbook

Create a playbook to automate your workflow, and respond more quickly and efficiently to attacks.

  1. Ensure you're familiar with the logic of compound, relational, and conditional operators.

  2. Navigate to the PLAYBOOKS page.

  3. Click Add a new playbook A blue circle with a white plus sign..

  4. Enter information about the playbook:

    • Playbook template – Choose a template from the list. To create an empty playbook, select New Playbook.

    • Name – Give your playbook a unique name.

    • (Optional) Description – Describe your playbook, what it does, and when it should be used.

  5. Click Create. The playbook contains a start node and end node. If you selected a template, the playbook contains other nodes based on the template.

  6. Define the logic of your playbook: add a node, and configure action, decision, or filter nodes. As you design your playbook, keep in mind:

    • All nodes must be linked in some way to the start and end node; otherwise, you can't run the playbook.

    • You can only use the output from the previous node as an input for the next node.

    • You can use the output of one node in another only if the latter node takes in data of the same type. For example, if one node outputs a list of URLs, you can't link it to a node that takes in a list of IP addresses.

    • You must configure all necessary input fields for a given node. If you haven't configured one or more necessary fields, the node is outlined in red.

  7. Click Save A grey circle with a white floppy disk in the middle.. You may save your playbook at any time, but if it contains an error, it won't run and is disabled by default. Your playbook appears in the list on the PLAYBOOKS page.

Add a Node

When you create or edit a playbook, add nodes to define or change its logic.Create a Playbook

  1. Click on the outbound port of the existing node you are connecting to the new node.

  2. Click anywhere in the interface.

  3. To add an action node, select ACTION. To add a decision node, select DECISION. To add filter node, select FILTER.

Add an Action Node

When you create a playbook, you add action, decision, and filter nodes. Add an action node to call and use the results from a service.

  1. From a node, add another node, then select ACTION.

  2. Select a Service. These services are available for you to use; they either come out-of-the-box or have been configured by your organization. You might find the descriptions helpful in choosing the appropriate service to use.

  3. Select the action type the node performs.

  4. Select an input source. You can select between the fields, entities, or artifacts in the incident or the output from a previous node.

  5. To close the panel, click anywhere in the interface. If there is a red border around the node, you have not configured one or more necessary fields.

Add a Decision Node

When you create a playbook, you create action, decision, and filter nodes. Create a decision node to make a boolean (if/else) decision.Create a Playbook

A decision node evaluates whether the input is true or false. Based on this evaluation, the next node in the playbook executes an action.

  1. From the node you wish to make a decision on, add a node and select DECISION. If you add the node straight from the start node, it operates on all the fields and raw data in the incident.

  2. Select an input source. You can select between the fields, entities, or artifacts in the incident or the output from a previous node.

  3. Select an operator:

    • Equals – Checks if values are equal.

    • Not Equal To – Checks if values are not equal.

    • Contains – Checks if values partially match.

    • Not Contains – Checks if values do not match.

    • Is Empty – Checks if incident field doesn't have an assigned value.

    • Exists – Checks if incident field has an assigned value.

    • Starts With – Checks if string data type starts with a specified value.

    • Not Starts With – Checks if string data type doesn't start with a specified value.

    • Ends With – Checks if string data type ends with a specified value.

    • Not Ends With – Checks if string value doesn't end with a specified value.

    • In – Checks if value is in a specified list.

    • Not In – Checks if value is not in a specified list.

    • Matches – Checks if values match exactly.

    • Not Matches – Checks if values don't match exactly.

    • Greater Than – Checks if value is greater than a specified value.

  4. (Optional) If relevant, enter or select a value.

  5. Click SAVE.

  6. (Optional) Add additional conditions to the decision node.

    • To add an or condition, select +OR.

    • To add an and condition, select +AND.

  7. From the decision node's outbound ports, add a node that executes depending on how the input was evaluated:

    • To execute a node if the input is evaluated as true, add a node from the outbound port on the side.

    • To execute a node if the input is evaluated as false, add a node from the top or bottom outbound ports.

  8. To close the panel, click anywhere in the interface. If there is a red border around the node, you have not configured one or more necessary fields.

Add a Filter Node

When you create a playbook, you add action, decision, and filter nodes. Add a filter node to narrow down multiple input values to a specific subset.Create a Playbook

You use a filter node to filter out a subset of the input source, based on conditions you specify when you configure the node. The filter node outputs the remaining subset and passes it on to the next node. The next node only evaluates this remaining subset. For example, you can use a filter node to remove:

  • Normal domains, so the next node evaluates malicious domains only.

  • Allow listed URLs, so the next node evaluates block listed URLs only.

  • Email attachments with a risk score below 90, so the next node evaluates attachments with a risk score above 90 only.

  • IP addresses from other countries, so the next node evaluates IP addresses from a specific country only.

To evaluate a single value, add a decision node.

  1. From one node, add another node, then select FILTER.

  2. Select an input source. You can select between the fields, entities, or artifacts in the incident or the output from a previous node.

  3. Select an operator:

    • Equals – Checks if values are equal.

    • Not Equal To – Checks if values are not equal.

    • Contains – Checks if values partially match.

    • Not Contains – Checks if values do not match.

    • Is Empty – Checks if incident field doesn't have an assigned value.

    • Exists – Checks if incident field has an assigned value.

    • Starts With – Checks if string data type starts with a specified value.

    • Not Starts With – Checks if string data type doesn't start with a specified value.

    • Ends With – Checks if string data type ends with a specified value.

    • Not Ends With – Checks if string value doesn't end with a specified value.

    • In – Checks if value is in a specified list.

    • Not In – Checks if value is not in a specified list.

    • Matches – Checks if values match exactly.

    • Not Matches – Checks if values don't match exactly.

    • Greater Than – Checks if value is greater than a specified value.

  4. (Optional) If relevant, enter or select a value.

  5. Click SAVE.

  6. (Optional) Add an additional condition to the filter node. You can't use both in one filter node; you must choose one or the other.

    • To add an or condition, select +OR.

    • To add an and condition, select +AND.

    • To change a condition from one to the other, select the down arrow next to it, then select the appropriate condition.

  7. To close the panel, click anywhere in the interface. If there is a red border around the node, you have not configured one or more necessary fields.

Playbook Templates

If you don't want to create a playbook from scratch, use a template. These templates come out-of-the-box or you can import your own from an existing playbook.

Playbook templates are frameworks that are already designed and ready for you to use; you just indicate the service you want to use.

There are 16 templates available out of the box, including ones for malware and phishing. You can also use turnkey playbooks as templates.

You can't delete these out-of-the-box templates.

To modify a template, export an existing playbook, then import it back into the system as a template. You can also create a new playbook from scratch.Import a Playbook TemplateCreate a Playbook

Phishing Playbook Template

Break down the logic flow of the out-of-the-box phishing playbook template.

The phishing playbook template in the playbook interface.

Phishing emails imitate reputable senders to fool recipients into installing malicious software or revealing personal information.

The phishing playbook sources emails ingested into Case Manager. It checks the reputation of the domain that sent the email; extracts any files, URLs, or links; and checks the reputation of these entities. Then, the playbook checks if the email recipient has any web activity related to the URL.Email IngestEmail Ingest

Based on the sender's email address, the playbook searches for other recipients. If it finds other recipients, the playbook alerts you.

Create a Playbook Trigger

For a playbook to run automatically, define which circumstances and conditions trigger the playbook. You define a playbook trigger from the PLAYBOOKS page, or when you create or edit a playbook.

If you manually create an incident, playbooks aren't triggered.Manually Create an Incident

  1. In the navigation bar, click PLAYBOOKS, or create or edit a playbook.

  2. Click Add trigger to playbook.:

    • On the PLAYBOOKS page, select the clock A grey alarm clock. for an existing playbook in the list.

    • If you're creating or editing a playbook, select the clock A grey circle with a white alarm clock in the center..

  3. Click + Trigger.

  4. Select the situation that triggers the playbook:

    • Incident Created – When a playbook triggers and creates an incident.

    • Status Changed – When someone changes an incident's status.

    • Priority Changed – When someone changes an incident's priority.

    • Queue Changed – When someone is assigned to another queue.

    • Assignee Changed – When someone changes who's assigned to an incident.

    • Incident Type Changed – When an incident's type changes, manually or automatically.

  5. To add a condition to the situation, select + Condition. If the situation occurs and the condition is met, the playbook runs. These conditions are based on incident fields, default or custom.Create a Custom Incident Field

  6. (Optional) To add another condition, click + ADD.

  7. Click SAVE.

Manually Run an Action

Instead of automating an action using a playbook, run an action manually on an incident from its workbench.The WorkbenchThe WorkbenchThe Workbench

  1. In an incident's workbench, click RUN ACTION.

  2. Select an action from the list and enter the relevant information.

  3. Click LAUNCH.

    If the action runs successfully, it appears in the workbench ACTIONS tab with a A green check mark. check mark, and you see its output in the workbench.

Manually Run a Playbook

Instead of triggering a playbook with a certain scenario, run a playbook manually on a specific incident from its workbench.The WorkbenchThe WorkbenchThe Workbench

  1. In an incident's workbench, click RUN PLAYBOOK.

  2. Select a playbook from the list.

  3. Click LAUNCH.

    If the actions in your playbook run successfully, they appear in the workbench ACTIONS tab with a check mark A green check mark., and you see their outputs in the workbench.

    If your playbook runs successfully, it appears in the workbench PLAYBOOKS tab with a check mark A green check mark..

Clear an Incident's Playbook and Action Outputs

In the workbench, the outputs of all the playbook and actions you've ever run accumulate so it's hard to tell what's most recent. Clean up your workbench and only display the latest results.The Workbench

  1. Ensure that you have Reset Incident Workbench permissions. To request Reset Incident Workbench permissions, contact your Exabeam administrator.

  2. In an incident's workbench, click RESET CARDS. In the workbench and the incident, the playbook and action results clear.