Playbook Overview
Enter the following details in Playbook Overview to configure the playbook.
Name: Enter a unique name for the playbook. For example, Block Indicators using Intel Exchange.
Description: Add a description for the playbook using a maximum of 200 characters. It is recommended to add a relevant description for the playbook as analysts can use this for their reference.
Select Labels: Select one or more labels to automatically trigger the execution of a playbook on the occurrence of an event. For more information, see Labels, Triggers, and Events.
Select Tags: Select one or more tags to define role-based access control (RBAC) for playbooks. For more information, see Create Playbook Tags.
Playbook Execution Priority: To ensure efficient and timely execution of playbooks, you can assign priority such as 1-High, 2- Medium, or 3-Low to a playbook. High-priority playbooks take priority over Medium-priority playbooks and Low-priority playbooks. By default, playbooks are set to a Medium priority. For example, you may assign a higher priority to a playbook that automatically responds to reported phishing emails than the one that generates hourly reports of the number of incidents onboarded for investigation.
The maximum number of playbooks that can run concurrently depends on the system configuration of an Orchestrate instance. For example, if an Orchestrate instance can run 30 playbooks at a time, then 18 playbooks of high priority, 9 playbooks of medium priority, and 3 playbooks of low priority can be triggered for execution.
Notice
This feature is available in Orchestrate version 3.5.8 onwards.
Select Categories: Select one or more categories to associate with the playbook. You can select from categories such as Communication, Security Hygiene, Intel Enrichment, Incident Response, Incident Reporting, Incident Onboarding, Incident Notification, Incident Enrichment, and Asset Management.
Status: Set the status of the playbook as either active or inactive. To execute a playbook automatically based on a cron schedule or the occurrence of an event, the playbook must be in an active state. By default, playbooks are in an active state.
Execution Timeout Configuration: Configure the total time to wait for the playbook to complete its execution before it terminates. This includes the time for which the Playbook is paused for user inputs. By default, this option is disabled. You can specify the execution timeout in the range of 5 to 90 minutes in
HH:MM:SS
format. For example, 00:05:00 indicates 5 minutes.Schedule Playbooks: You can schedule a playbook to run on a once, daily, weekly, or monthly schedule using the date and time picker. You can also use cron expressions to schedule a playbook. For more information, see Schedule Playbooks
Output Parameters: Playbook output parameters help analysts send the execution result of a sub-playbook to the master playbook. The master playbook can utilize the received output parameter to build complex orchestration workflows.
Associated Playbooks: View the master playbook and the associated sub-playbooks.
App/Actions: View the associated app actions used in the playbook.
After configuring and saving the playbook overview, you must define the sequence of your playbook workflow by adding an action, condition, input, or memory node as per your use case.