Getting Started with Playbooks
Before using playbooks, you must have permission to view, create, or manage playbooks.
Administrators can assign the following permissions depending on the role and the associated user group:
View Playbooks
Create/Update Playbooks
Run Playbooks
Approve Playbook Execution via Email
Note
The access permissions can be assigned only to a user group. Contact your administrator to avail the permission. The permissions can be assigned by the admin under User Group Management.
Before you Start
Verify your playbook permissions.
Identify the type of playbook to proceed with, depending on the use case.
Identify all the sources from which your organization can receive notifications about events. After consolidating a list of sources, you must organize them into source types. These events invariably trigger corresponding playbooks to execute if they are associated with specific labels. For more information, see Configure Triggers.
Process Overview
The following is an overview of the end-to-end process using playbooks:
Identify an event for invoking a playbook.
Example: An event for phishing email being reported.
Prepare a list of actions that an analyst may undertake to respond to the event.
Example:
Extract email headers
Extract attachments
Check recipient details
Compute hash
Check hash reputation score
Block IP and sender if malicious
Notify all users about email
Categorize all the listed actions as Required and Optional for containing or mitigating threats based on the best practices or company policies and procedures.
Example:
Extract email headers (Required)
Notify all users about email (Optional)
Start building the playbook workflow using the Orchestrate playbook canvas. For more information, see Playbook Canvas.
Modify the process based on the required category at first and then branch them accordingly based on the workflow. For more information, see Sample Playbook Workflow.
Sample Playbook Workflow
Let us understand the laybook creation process using an indicator enrichment as an example.
Enrichment of indicators is one of the primary tasks that security teams perform during the incident response to produce actionable indicators. This process aids in the elimination of false positives and helps to extract useful intelligence for threat responses.
The illustration shows the workflow for the enrichment of a CTIX indicator. The idea is to create a Playbook that automatically enriches indicators in CTIX based on events, eliminating the effort for analysts to enrich indicators each time indicators are received from multiple sources to CTIX.
The high-level process involved in the Playbook workflow is:
Check for New Indicators
When the Playbook is triggered to run based on an event, initially, the event is checked for the presence of indicators.
Extract Indicators from Event Data
If any indicators are found in the event data, they are extracted. The extracted indicators will be searched in the CTIX application to further format and create a new dictionary for the indicators.
Store Indicators for further analysis
The indicator dictionary is stored in a memory node for the analysts to reuse for further analysis.
 |
Playbooks
On navigating to the Playbooks listing page, you can view the Playbooks tab and start building a new playbook.
If your organization has yet to build a threat response process, then you can start by deciding what kind of playbook you are planning to build. To determine this, it is recommended to identify and understand your organization-specific use cases and then define an entirely new workflow.
After the use cases are identified, you can build new playbooks from scratch. These are also referred to as custom playbooks. You can create a new customized workflow in the playbook canvas with all the necessary actions and configurations to suit the threat response needs of your organization.