Actions and Playbooks
Actions and playbooks are key features of the incident response process, that enable your organization to manage and respond to incidents effectively.
Add Actions to an Incident
Actions represent a set of tasks configured to perform incident response activities. These actions can be linked to different phases of an incident. For instance, in the Containment phase, you might create an action to block an IP address and assign it to a security analyst for execution
You can view the associated actions in the following sections:
All: View all actions associated with the incident.
Incident Phases: View actions that are mapped to an incident phase.
Note
The workflow phases that appear in actions may differ based on the workflow mapping configured by your administrator in Form Management.
Steps
To create and associate an action with an incident, follow these steps:
Go to Menu > Incidents.
Open an incident, and select Actions & Playbooks.
To create an action within a phase, select a phase first, and click Add Action. If you create an action within the All category, the action will remain unassociated to any specific phase. Click More and select the phase to which you want to move the action.
Enter the following action details:
Title: Enter a title for the action. For example, block IP address.
Assigned User Group: Assign a user group to the action. Only users from the selected user group can be assigned to the action. For example, Analyst group.
[Optional] Description: Enter the details of the action to be performed. For example, block the IP address if it is malicious.
[Optional] Priority: Select a priority level for the action. The available priorities are Very Low, Low, Medium, High, and Very High. The priority options are configured by your administrator in the admin panel.
[Optional] Action Type: Select the type of action to be performed, such as Containment, Corrective, Eradication, Mitigation, Recovery, and Remediation. The available action types are configured by your administrator in the admin panel.
Click Submit. In the confirmation message, click Yes, Proceed.
After creating an action, you can view the details such as the unique ID, opened by, when it was last updated, action type, priority, and other details. You can assign a user to the action to act on it. For more information, see Assign a User to an Action.
Change Associated Phase of an Action
After you create an action, you can move the action from the current incident phase to another phase.
Note
The actions that are mapped to an incident phase by your administrator using Action Library cannot be moved from one phase to another. For more information, see Manage Action Templates for Incidents.
Steps
To change the phase of an action, follow these steps:
Go to Menu > Incidents.
Open an incident, and select Actions & Playbooks.
Select a phase, and click More corresponding to the action you want to change the phase.
Select the phase to which you want to move the action.
Assign a User to an Action
After creating an action, you can assign a user from the selected user group to act.
Steps
To assign a user to an action, follow these steps:
Select an action, and to change the assigned user, click Edit.
Select a user, and add a handoff note.
Click Save.
Manage Actions
You can perform the following operations to manage actions:
Search actions or filter actions based on the Action Type, Assigned Group, Created by, and more.
Reorder the actions based on the ascending or descending order of the action titles.
Sort the actions based on criteria such as Relevance, Last Updated, and Date Created.
Follow an action to recieve the updates. You can filter the actions that you follow using the filter Following on the listing page.
Starting from Respond v3.4.3, you can close multiple actions by selecting actions and clicking Close. In the confirmation pop-up, click Close.