Use the Repeat Detection playbook

Watch

Save as PDF

Share this page

Feedback

Security Operations

HomeVancouver Security ManagementSecurity OperationsEnterprise security case management applicationsSecurity Incident ResponsePlaybook ResourcesSecurity Incident Response playbooksFlow-based PlaybooksPlaybook for Repeat DetectionUse the Repeat Detection playbook

Table of Contents

Use the Repeat Detection playbook

Release version:
Vancouver
Yokohama
Xanadu
Washington DC
UpdatedFeb 1, 2024
2 minutes to read

Vancouver
Security Incident Response Analysis

The Vancouver release is no longer supported. As such, the product documentation and release notes are provided for informational purposes only, and will not be updated.

Use this playbook to investigate if the incident response has been provided on an exact or similar phishing report in the past and automatically works on the new report similarly. The following steps give you a walkthrough of the actions, tasks, and subflows that are available in the Repeat Detection playbook.

Before you begin

Role required:

sn_si.admin
flow_designer

Procedure

When the playbook is triggered and starts executing, in Action 1, the playbook retrieves the relative date of the security incident using the day configuration.
In Action 2, the playbook looks up the Task Observable records on the table sn_ti_m2m_task_observable that match the incident based on the Message ID.

Figure 1. Repeat Detection playbook
In Action 3, the playbook compares the Task Observables and Email body using the Levenshtein algorithm for incidents that matched the Message ID.
In Action 4, based on the investigation done so far, the playbook checks whether the matching incident is found based on the Message ID or not.
In Action 5, if the matching incident is found, the playbook automatically updates the worknote that a match has been found based on the automation for Repeat Detection. In Action 6, the flow ends.
If the matching incident is not found, then in Action 7, the playbook looks up the Task Observable records on the table sn_ti_m2m_task_observable that match the incident based on the Subject.
In Action 8, the playbook compares the Task Observables and Email body using the Levenshtein algorithm for incidents that matched the Subject.
In Action 9, the playbook checks whether the matching incident is found or not.
In Action 10, if the matching incident is found, the playbook automatically updates the worknote that a match has been found based on the automation for Repeat Detection. In Action 11, the flow ends.
Figure 2. Matching incident
In Action 12, the playbook looks up the Task Observable records on the table sn_ti_m2m_task_observable that match the incident based on the Address.
In Action 13, the playbook compares the Task Observables and Email body using the Levenshtein algorithm for incidents that matched the Address.
In Action 14, the playbook checks whether the matching incident is found based on the Address or not.
In Action 15, if the matching incident is found, the playbook automatically updates the worknote that a match has been found based on the automation for Repeat Detection. In Action 16, the flow ends.

Was this topic helpful?

Yes No

Set up the Repeat Detection playbook

Playbook for Spoofed Emails (using the same Display name)

Set up the Repeat Detection playbook

Playbook for Spoofed Emails (using the same Display name)

Vancouver Security Management

Filters

Versions

Products