Incident ResponderRespond to Security Incidents

Turnkey Playbooks

Fully pre-configured turnkey playbooks are ready to run out of the box.

Turnkey playbooks are pre-configured playbooks that are ready for you to run, without having to purchase additional services to get the actions you need.Playbooks

They are listed along other playbooks you created on the PLAYBOOKS page. Like a playbook you created yourself, you can run them manually or automatically with a playbook trigger.Playbook Triggers

These playbooks use an in-house service, Exabeam Actions, that is available out-of-the-box and free to use. The service supports basic actions, like, getting the reputations of entities and artifacts, and detonating malicious files and URLs.Exabeam Actions Service

There are three turnkey playbooks:

You can modify turnkey playbooks to customize them to your needs.

Threat Intelligence Reputation Lookup Turnkey Playbook

Analyze and triage suspicious emails and change an incident's priority with the Threat Intelligence Reputation Lookup turnkey playbook.

The Threat Intelligence Reputation Lookup turnkey playbook helps you analyze and triage suspicious emails, like potential spam and phishing emails. It changes a Case Manager incident's priority based on the reputation of an email entity and its artifacts.Entity TypesArtifact Types

First, the playbook assesses the reputation of the incident's entities, including:

  • Files attached to the email

  • IP addresses

  • Domains of any URLs in the email body

  • Domain of the sender's email address

If the playbook finds any IP addresses with a malicious reputation, it searches for other incidents that has the same IP address entity or artifact. View the output in the incident's workbench.The Workbench

If any entity or artifact has a malicious reputation, the playbook escalates the incident's priority to Critical. If none of the artifacts have a malicious reputation, the playbook de-escalates the incident's priority to Low.

The Threat Intelligence Reputation Lookup turnkey playbook is similar to the Phishing turnkey playbook, but only analyzes entity and artifact reputations and changes an incident's priority and status. To get even more information for your investigation and automate your response to a phishing incident, use the Phishing turnkey playbook instead.

Phishing Turnkey Playbook

Analyze suspicious emails, detonate malicious email attachments, and change an incident's priority and status with the Phishing turnkey playbook.

The Phishing turnkey playbook helps you analyze, triage, and respond to suspicious emails, like potential spam and phishing emails. It changes a Case Manager incident's priority based on the reputation of the evidence. It also gathers information about the email recipient from Advanced Analytics and detonates any malicious files in a sandbox.

First, the playbook assesses the reputation of the incident's entities and other evidence, including:

  • Files attached to the email

  • IP addresses

  • Domains of any URLs in the email body

  • Domain of the sender's email address

If the playbook finds any entity with a malicious reputation, it searches for other incidents with the same entity. View the output in the incident's workbench. Then, it escalates the incident's priority to Critical. If the playbook doesn't find any entity with a malicious reputation, it changes the incident's priority to Low.The Workbench

From Advanced Analytics, the playbook retrieves the email recipient's risk score and top device. View the output in the incident's workbench.

If the playbook finds any files with malicious reputation, it detonates the file in a sandbox.

Keep in mind that you may input only a limited number of files, URLs, or other entities and artifacts to Exabeam Action's Sandbox by Detonate action per day, up to Exabeam's sole discretion. Exabeam throttles your inputs to prevent internal services from overloading and to ensure all Exabeam users can access the action. The exact number of entities and artifacts you can input varies per day.

The Phishing turnkey playbook is similar to the Threat Intelligence Reputation Lookup turnkey playbook, but also includes additional actions for gathering Advanced Analytics data and detonating malicious files. To quickly assess and view the reputation of an incident's entities and artifacts, run the Threat Intelligence Reputation Lookup turnkey playbook instead.

Malware Turnkey Playbook

Analyze suspicious files and detonate potential malware with the Malware turnkey playbook.

The Malware turnkey playbook helps you analyze, triage, and detonate suspicious files that may be potential malware. Depending on the reputation of the file entities and their related hashes, it changes the incident's priority and comments on the incident.

First, the playbook gathers the file entities and artifacts from an incident. Then, it scans and assesses the reputation of the files, and detonates them in a sandbox. It also the assesses the reputation of any associated MD5, SHA1, and SHA256 hashes.

If any file entities, artifacts, or hashes have malicious reputation, it changes the incident's priority to Critical and comments on the incident, "Exabeam Actions detected at least one malicious file on this incident. As a result, the priority has been raised to critical." If none of the files, entities, and hashes have a malicious reputation, it changes the incident's priority to Low and comments on the incident, "Exabeam Actions didn't detect malicious files on this incident. As a result, the priority has been changed to low."

If the associated hashes have a malicious reputation, the playbook also searches for other Incident Responder with the same hashes. View the output in the workbench.The Workbench

If you configured any third-party services, you can customize the Malware turnkey playbook and make it more robust. For example, if your incident doesn't have a file entity or artifact, you can use a Get File action to retrieve a file from another data source. You can also take further action on the malware; for example, using Okta's Suspend User action, CarbonBlack Response's or FireEye's Isolate (Contain) Host action, CiscoAMP's Isolate Host action, or Quarantine Host action from various services.

Keep in mind that you may input only a limited number of files, URLs, or other entities and artifacts to Exabeam Action's Sandbox by Detonate action per day, up to Exabeam's sole discretion. Exabeam throttles your inputs to prevent internal services from overloading and to ensure all Exabeam users can access the action. The exact number of entities and artifacts you can input varies per day.