Run Playbooks
Playbooks are a set of organized actions designed to perform security tasks during the incident response process. For example, run a playbook to block an IP address. You can run playbooks associated with the incident on schedules, through event triggers, or manually initiate them.
Data collected from various application databases can be used to automate processes like creating an incident, updating incident details, and assigning users to an incident.
Before you Start
Ensure Orchestrate is integrated and enabled in Respond.
Ensure an instance is configured for the Respond app in Orchestrate. For more information, see Create a CFTR Instance in Orchestrate.
Ensure the incident is assigned to a user. However, you can run a playbook without assigning a user to untriaged incidents.
Steps
To access the playbooks in a module, open the module and go to Playbooks. You can view the following details:
Run Logs: You can view the run logs of the playbooks that are already executed. The run logs show the details of the playbook execution, such as the playbook title and ID, run status, run on time, playbook execution duration, and the associated bot user of the playbook. Additionally, you can terminate playbooks that are In Progress, In Queue, Waiting, or On Hold statuses to manage the playbook runs efficiently.
Playbooks: View the list of playbooks that are available to run.
Mapped Playbooks (available only for incidents): View the playbooks that are mapped to the incident by your administrator in Admin Panel > Configurations > Playbook > Incident Mapping. The top filter bar of Mapped Playbooks shows the configured parent parameters of the incident mapping. To filter the playbooks using the parent parameters, select a parent parameter.
Note
If Role based access control of Playbooks is enabled in Admin Panel > Configurations > Integration > Orchestrate, then you can access the playbooks that are allowed based on your user group permissions. Administrators can use playbook tags in user groups to control user access to Orchestrate playbooks in Orchestrate > Admin Panel > User Group Management.
To run a playbook in an incident or action, follow these steps:
Go to Menu, and select the incident or action module, and open an incident or action.
Go to Playbooks, and select Playbooks dropdown. You can view the following playbook types:
Suggested Playbooks: View the suggested playbooks generated using the Machine Learning algorithm.
All Playbooks: View all the playbooks that are available to run.
Select a playbook and click More > Run. You can also search or filter playbooks, view the list of associated apps, and run playbooks with custom input values.
Click Run on the confirmation message.
The playbook runs in the background. Go to the playbook Run Logs and click a run log to view the execution status of a playbook.
How do I know if a playbook requires input data to run?
All users of the assigned user group of an incident are notified via email and application notification about the Orchestrate playbooks that require data for the input nodes for execution. You can access the playbooks from the email and application notification to pass input data directly in Orchestrate.
Note
Orchestrate v3.5.0.0 or a later version must be integrated with Respond to receive email and application notifications about the playbooks that require input data for execution.
Notifications will not be sent for the input nodes of the sub-playbook of an Orchestrate playbook.
After passing input data to resume a playbook, you can refresh the playbook to verify if more input nodes require input data to run.
Run Knowledge Base Mapped Playbooks
You can run the playbooks mapped to knowledge-base articles from an incident or action.
Before you Start
A knowledge base article must be added to an incident or action to run the mapped playbooks.
Steps
To run a playbook that is mapped to a knowledge base article from an incident or action, follow these steps:
Go to Menu, and select Incidents or Actions.
Open an incident or action and go to Knowledge Base.
Select a knowledge base article and click Mapped Playbook on the right.
Select the playbook that you want to run and click More > Run.
Click Run on the confirmation message.
You can view the playbook execution details in the playbook Run Logs of the incident or action.
Manage Playbook Run Logs
You can perform the following activities to manage playbook run logs:
Search run logs.
Filter run logs based on the status.
Run a playbook again.
View the run details of a Playbook, such as input values and output results of each node.
Note
You can view the input and output data of up to 4 MB in the Respond user interface. Download the data in JSON format to view the complete input and output data of more than 4 MB.
View the sub-playbooks of a playbook.
View the list of associated apps of a playbook.
Enter your custom input values and then run a playbook.