Security Incident Playbook

Release version:
Vancouver
Yokohama
Xanadu
Washington DC
UpdatedFeb 1, 2024
4 minutes to read

Vancouver
Security Incident Response

The Vancouver release is no longer supported. As such, the product documentation and release notes are provided for informational purposes only, and will not be updated.

Invoke the security incident playbook flow automatically or manually.

A Playbook is visible only if at least one playbook is associated with a security incident. The playbook component works only for the Process Automation Designer (PAD) built processes and not for the flow designer-built flows. For the existing flow designer enabled flows, it will continue to work, and the activities will be continuing to be rendered as response tasks.

There are two ways of associating playbook with the security incident:

Automatically invoke playbook
Manually add playbook

Invoke playbook automatically

For a Playbook to be invoked automatically, a process needs to be defined using Process Automation Designer (PAD), and when the trigger condition is met then automatically the playbook tab is rendered with the playbook activities being displayed.

Add playbook manually

For a Playbook to be invoked manually, navigate to the Form UI action drop down and select Add Playbook. For more information see, Add Playbook

Note: If there is already a playbook available then the new playbooks added will run in parallel to the existing playbooks.

Within the playbook, the analyst can filter the playbook cards by status.
The analyst can cancel a playbook by selecting it from the ellipse icon.
Within each activity, the analyst will be able to perform the actions defined within the activity cards such as Skip, Mark as complete, Cancel, or Orchestration actions such as Submit to sandbox, Search Emails and so on.
Each of these actions are defined within the activity definition, and the complete card visible is customizable at the time of building the activity definition itself.

Note: All the future activity definitions and the next steps to be performed are displayed with a lock icon and are in read-only mode to the user. The playbook display mode is controlled by a configuration as explained below.

Navigate to All > Playbook Experiences.
In the Playbook Experiences page, select an SIR Playbook Experience.
Figure 1. Playbook Experience

The Playbook Experience SIR Playbook Experience page is displayed.
Figure 2. Playbook Experience Record
Click on the Configuration record.
In the Configuration tab, click the SIR Playbook Experience Configuration.
Figure 3. Playbook Configuration
Navigate to the Pending Item Visibility field's drop down list, select the desired option and save the record. Choose from the following options:
- Hide pending activities: Select this option to hide the pending activities that you would like to see on the playbook section of the workspace.
  Figure 4. User Reported Phishing Example
- Show pending stages and activities: Select this option to show pending stages and activities that you would to like to see on the playbook section of the workspace.
  Figure 5. Show pending stages and activities
- Hide pending activities and stages: Select this option to hide pending activities and stages,that you would like to see on the playbook section of the workspace.
  Figure 6. Hide pending activities and stages
On the Playbook section, use the filter option to filter the activities by Playbook card status (activity definition).
Figure 7. Playbook card status

Add Playbook

Use this section to add playbook manually.

Before you begin

Role required: sn_si.analyst

Procedure

Navigate to All > Security Incident > Security Analyst Workspace.
Open an incident record.
Click Add Playbook.

The Add Playbook dialogue box is displayed.
Select the playbook template.
Click Add Playbook.
A confirmation message dialogue box is displayed for you to confirm.
Click Add Anyway.
The Playbook gets added next to the Details tab.
Click the Playbook tab.
Perform the series of activities as listed to move to the next level.

Note: If a Security incident is associated with a playbook, until the associated playbook gets closed or cancelled the user cannot again associate the same playbook to the same security incident.