Cyware Orchestrate

Name: Enter a unique name for the playbook. For example, Block Indicators using Intel Exchange.

Description: Add a description for the playbook using a maximum of 200 characters. It is recommended to add a relevant description for the playbook as analysts can use this for their reference.

Select Labels: Select one or more labels to automatically trigger the execution of a playbook on the occurrence of an event. For more information, see Labels, Triggers, and Events.

Select Tags: Select one or more tags to define role-based access control (RBAC) for playbooks. For more information, see Create Playbook Tags.

Playbook Execution Priority: To ensure efficient and timely execution of playbooks, you can assign priority such as 1-High, 2- Medium, or 3-Routine to a playbook. High-priority playbooks take priority over Medium-priority playbooks, and Routine-priority playbooks have the least precedence. By default, the 3-Routine priority is selected. For example, a playbook that automatically responds to reported phishing emails might have a higher priority than the one that generates hourly reports of the number of incidents onboarded for investigation.

The maximum number of playbooks that can run concurrently depends on the system configuration of an Orchestrate instance. For example, if an Orchestrate instance can run 30 playbooks at a time, then 18 playbooks of high priority, 9 playbooks of medium priority, and 3 playbooks of routine priority can be triggered for execution.

Select Categories: Select one or more categories to associate with the playbook. You can select from categories such as Communication, Security Hygiene, Intel Enrichment, Incident Response, Incident Reporting, Incident Onboarding, Incident Notification, Incident Enrichment, and Asset Management.

Status: Set the status of the playbook as either active or inactive. To execute a playbook automatically based on a cron schedule or the occurrence of an event, the playbook must be in an active state. By default, the Playbooks are in an active state.

Execution Timeout Configuration: Configure the total time to wait for the playbook to complete its execution before it terminates. This includes the time for which the Playbook is paused for user inputs. By default, this option is disabled. You can specify the execution timeout in the range of 5 to 90 minutes in HH:MM:SS format. For example, 00:05:00 indicates 5 minutes.

Schedule Playbooks: You can schedule a playbook to run on a once, daily, weekly, or monthly schedule using the date and time picker. You can also use cron expressions to schedule a playbook. For more information, see Schedule Playbooks

Output Parameters: Playbook output parameters help analysts send the execution result of a sub-playbook to the master playbook. The master playbook can utilize the received output parameter to build complex orchestration workflows.

Associated Playbooks: View the master playbook and the associated sub-playbooks.

App/Actions: View the associated app actions used in the playbook.