Playbooks
Playbooks play an important role in helping you orchestrate and automate responses. Orchestrate provides the capability to leverage manual as well as fully automated Playbooks to meet the process and procedure-specific demands of your organization. Playbooks are a well-defined set of actions that are organized as a workflow to respond to an incident or a threat. They are designed to perform a multitude of security automation and orchestration tasks that are part of the incident response process.
Security teams and analysts can use Playbooks to automate various manual and repetitive tasks, as well as to orchestrate some of the common scenarios including but not restricted to analyzing vulnerabilities, IOCs (Indicators of Compromise), searching for suspicious logs, and more. Using Playbooks, you can accelerate the entire incident response process by enabling security teams to quickly detect, and remove false positives, respond intelligently, and mitigate increasingly complex malicious attacks.
Note
A Playbook does not always need to be technical. For example, you can trigger emails automatically to customers based on certain events from potential sources using a simple Playbook workflow.
To access Playbooks, click Main Menu on the left sidebar, and go to Playbooks > Manage Playbooks.
Features
Playbooks offer an extensive set of features such as:
Powerful visual editor: You can try out our easy-to-use Playbook canvas or editor to help you develop logical workflows for your orchestration needs.
Leverage pre-built Cyware Playbooks: You can start your automation and orchestration efforts by utilizing our vast library of pre-built playbooks and customizing them to suit your specific business needs.
Build custom workflows: You can harness the power of a secure Python-based development environment to create custom functions for your Playbook directly in the Playbook canvas.
Schedule Playbooks: You can schedule playbooks to run on-demand or automatically when triggered by one or more events.
Clone Playbooks: You can clone any existing or pre-built Cyware Playbook, to create a copy of the original playbook. You can then modify the cloned copy without affecting the original playbook to build new workflows.
Import and Export Playbooks: You can move playbooks between instances by importing and exporting playbooks directly in the interface.
Run Logs for Playbooks: You can review the detailed execution records of not only the Playbooks but also the specific nodes/components of a Playbook which will assist in debugging.
Filters: You can apply various filters on the Playbooks listing to find the ones of your interest with ease.
Nested Playbooks: You can use nested Playbooks to achieve reusability across multiple Playbooks. While creating a Playbook, you have the option to add another Playbook as one of the nodes in the Playbook workflow. These are referred to as Nested Playbooks or Sub-Playbooks. You can also execute these nested Playbooks asynchronously (independent of the master Playbook execution) or synchronously along with the Master Playbook.
Benefits
Playbooks assist security analysts and teams to achieve the required security orchestration and automation demands of your organization. A few of the primary benefits of using Playbooks are:
Offers an integrated security environment: Playbooks can help in connecting different security tools together to create an effective and integrated security environment.
Perform automation: The data gathered from different application databases can be processed to perform automated actions such as creating an incident, updating details of an incident, and assigning users to respond to an incident.
Standardize processes: Playbooks fill in for security analysts and relieve them of monotonous tasks which can be incorporated into Playbooks that outlay the step-by-step incident response.
Integrate with other applications: Playbooks can be integrated into products across various security technologies such as cloud security, forensics, malware analysis, vulnerability and risk management, data enrichment, threat intelligence, incident response, endpoint security, and more. The potential events from a threat response platform such as CFTR for example can also be used to automatically trigger Orchestrate Playbooks by mapping those events to Playbooks using labels.