Create a runbook

Runbooks are based on existing knowledge base articles.

Before you begin

Role required: sn.si.knowledge_admin

There must be existing knowledge base articles in the Security Incident Response Runbook knowledge base. When you create them, be sure to select Security Incident Response Runbook in the Knowledge base field. After you create and published an article, a Create Runbook button brings you to this task.

Procedure

  1. Navigate to Security Incident > Manual Runbook > Create New Runbook.
  2. Fill in the fields, as appropriate.
    Table 1. Creating a runbook
    Field Description
    Knowledge article Select a knowledge article to include in the runbook.
    Active Check the box to make the runbook available from the Filter Navigator.
    Use filter group Select this check box to use a predefined filter group or create a new filter group to define the runbook criteria.
    Filter group Select the filter group to use for defining a runbook.

    This field appears only if the Use filter groups check box is selected.

    Table Select either Security Incident [sn_si_incident] or Security Incident Response Task [sn_si_task].

    If you selected the Use filter group check box and selected a filter group, this field defaults to the table associated with the selected filter group.

    Condition Set the conditions that connect this runbook to the incident or task.

    If you selected the Use filter group check box and selected a filter group, the Condition fields are not displayed.

  3. Right-click the form header and select Save.
    The Knowledge Article Details tab and a series of buttons appear.
  4. To view the details of the runbook, click the Knowledge Base Details tab.
    Knowledge article details
  5. To see the knowledge base article as it would appear to the user, click View Article.
  6. To edit the details of the knowldge base article, click Edit Article.