Getting Started with Playbooks
Before using Playbooks, you must have the necessary permissions to view, create, or manage Playbooks.
Administrators can assign the following permissions depending on your role and the associated user group:
View Playbooks
Create/Update Playbooks
Run Playbooks
Approve Playbook Execution via Email
Approve Playbook Execution via Mobile
Import Playbook
Note
The access permissions can be assigned only to a user group. Contact your administrator to avail the permission. The permissions can be assigned by the admin under User Group Management.
Before you Start
Verify your Playbook permissions.
Identify the type of Playbook to proceed with, depending on the use case.
Identify all the sources from which your organization can receive notifications about events. After consolidating a list of sources, you must organize them into source types. These events invariably trigger corresponding Playbooks to execute if they are associated with specific labels. For more information, see Configure Triggers.
Process Overview
The following is an overview of the end-to-end process using Playbooks:
 |
Identify an event for invoking a Playbook.
Example: An event for phishing email being reported.
Prepare a list of actions that an analyst may undertake to respond to the event.
Example:
Extract email headers
Extract attachments
Check recipient details
Compute hash
Check hash reputation score
Block IP and sender if malicious
Notify all users about email
Categorize all the listed actions as Required and Optional for containing or mitigating threats based on the best practices or company policies and procedures.
Example:
Extract email headers (Required)
Notify all users about email (Optional)
Start building the Playbook workflow using the Orchestrate Playbook canvas. For more information, see Playbook Canvas.
Modify the process based on the required category at first and then branch them accordingly based on the workflow. For more information, see the sample Playbook workflow illustrated below.
Sample Playbook Workflow
Let us understand the Playbook creation process using an indicator enrichment as an example.
Enrichment of indicators is one of the primary tasks that security teams perform during the incident response to produce actionable indicators. This process aids in the elimination of false positives and helps to extract useful intelligence for threat responses.
The below illustration shows the workflow for the enrichment of a CTIX indicator. The idea is to create a Playbook that automatically enriches indicators in CTIX based on events, eliminating the effort for analysts to enrich indicators each time when indicators are received from multiple sources to CTIX.
The high-level process involved in the Playbook workflow is:
Check for New Indicators
When the Playbook is triggered to run based on an event, initially the event is checked for the presence of indicators.
Extract Indicators from Event Data
If any indicators are found in the event data, they are extracted. The extracted indicators will be searched in the CTIX application to further format and create a new dictionary for the indicators.
Store Indicators for further analysis
The indicator dictionary is stored in a memory node for the analysts to reuse for further analysis.
 |
Playbook Types
On navigating to the Playbooks listing, the two tabs that are available are:
My Playbooks
Playbook Store
Depending on the general security strategies and frameworks adopted by your organization, you can choose to import existing Playbooks offered by Cyware under Playbook Store or build an entirely new Playbook under My Playbooks.
Playbook Store
If your organization has an existing threat response process, then you can utilize the out-of-the-box Playbooks under Playbook Store. These are also referred to as system Playbooks. They are available as pre-configured templates for creating Playbooks.
These Playbooks are designed considering the most common automation and orchestration scenarios that may occur while responding to threats. You can clone and customize these Playbooks to match your requirements.
The following scenarios are some of the use cases where you can deploy Playbooks to achieve security orchestration and automation:
Incident Onboarding Playbooks from SIEM: The Playbook leverages the Orchestrate appstore that has integration with all the leading SIEM to get the incident onboarded for orchestration.
Incident Enrichment Playbook: The Playbook leverages the Orchestrate appstore that has integration to enrich the incident with all the details required by analysts to investigate the incident.
Phishing Mails Investigation Playbook: The Playbook automates the entire Phishing Mails Investigation workflow, thereby saving a lot of manual effort.
Notification to Stakeholders: The Playbook provides various apps to allow communications over various media such as emails.
Malicious URL investigation: The Playbook designed for this scenario provides a high-level workflow to deal with an event of a machine communicating with some malicious URLs.
Ransomware Investigation Playbook: This Playbook automates the entire ransomware investigation workflow, thereby saving a lot of manual effort.
My Playbooks
If your organization is yet to build a threat response process, then you can start by deciding what kind of Playbook you are planning to build. To determine this, it is recommended to identify and understand your organization-specific use cases and then define an entirely new workflow.
Once identified, you can build new Playbooks from scratch. These are also referred to as custom Playbooks. You can create a new customized workflow in the Playbook canvas with all the necessary actions and configurations to suit the threat response needs of your organization.