What are Playbooks and Playbook Actions?
Playbooks serve as checklists so that any workflow relating to your security operations function can be performed consistently.
Playbooks also allow new starters to contribute more effectively through documented, actionable processes being accessible during incident response analysis and triage.
The paid versions of the Cydarm platform come configured with a set of existing open source playbooks, which can be duplicated and modified, and any trial user of Cydarm can create their own playbooks.
Playbook Actions are what we call the steps in a given playbook. For example, a phishing playbook will be made up of several actions, such as obtaining and analysing the email metadata, or deleting repeat instances of the identified phishing email from the email server.
Add a Playbook to a case, and add/delete Playbooks
- On the case view page, click on the Playbooks tab located in the main panel. This tab will open up details of any playbooks that are attached to a given case. If there are multiple playbooks attached they are listed one after the other.
- To add an existing playbook to the case, click on +Add a Playbook
- If you need to create a new playbook, head to the Playbook Editor, by clicking on Playbooks in the nav bar at the top of the screen. Click on +Create a new playbook, give your playbook a name, description, and set your access defaults from the dropdown menu. See below for adding actions to your new playbook.
- To delete a playbook, you click on the Delete Playbook (located at the bottom of the right hand column panel inset).
**Note that you can add multiple playbooks to a case, and duplicates of the same playbook.
Adding individual Playbook Actions
- From the case view page of the case in question, click on "View" to the right of the Playbooks heading in the right hand column panel inset.
- Click on the + Add button and select "Action" from the drop-down menu.
- From the pop-up, select either "Add Existing Action" and search for your desired action and click to add it to the case, or "Create New Action".
- When creating new actions, you must give your action a name, and provide information as to what activities should be carried out at this workflow step. Click the "Create and add to case" button.
- The ability to add, delete, or edit actions can vary based upon ACL permissions. Should you find you do not have correct permissions to action any of the above steps, please reach out to your organization's administrator for your platform.
**To add new actions to existing Playbooks, simply navigate to Playbooks menu item, search for the desired playbook, and after clicking onto the playbook, choose + Add action.
Updating the status of a Playbook Action
- From within the case view page, click the "Playbooks" heading next to "Activity", or "View" next to the Playbooks heading in the right hand column panel inset.
- Click on the Playbook title. Actions will be listed in either a state of "Ready" or "Success", where "Ready" indicates they are yet to be completed, and "Success" indicates they have been completed.
- Click on the action in question. The right hand column inset panel will update with the details for that particular workflow step.
- You can update the Step Status once it has been completed, or you can assign the task to another user. This will show up in their "Playbook Items Assigned to Me" panel inset on the Analyst Dashboard.
- Additionally, you can choose to add tags manually to the playbook action if required by clicking into "Select tags" and adding desired tags.
Updating Case attributes
Case attributes are located in the right hand column inset panel of any Case View page, on the "Activity" section.
Contributors: This attribute is automatically updated after any new user contributes activities to the case.
Watchers: This attribute is automatically updated after any new user adds or removes the case from their watchlist.
Case access control list: This attribute changes the access control for the case. This can be changed by those with the correct set of permissions by selecting the new access control from the drop-down menu.
Playbooks: As covered previously, this segment will be updated as playbooks or playbook actions are added, deleted, or completed.
Metadata: This attribute outlines any additional metadata about the case, which will vary depending on the integrations and settings your organization has configured. An example is outlined in the image below.
Case Groups: This attribute indicates whether the case is a "child" case from another larger case/s. Given that incidents can be connected long after the initial case creation, this attribute helps security operations team members to update as needed as an investigation proceeds.
Member Cases: This attribute indicates whether the case is a "parent" case. Given that incidents can be connected long after the initial case creation, this attribute helps security operations team members to update as needed as an investigation proceeds.