Playbooks is purpose-built for security professionals and technical operators to move fast and make fewer mistakes with template-based digital checklists for repeatable workflows.
We’re actively working on new Playbooks concepts to minimize MTTM (mean time to mitigate) by equipping incident responders with more flexible templates and powerful automations that eliminate slow and error-prone manual actions.
If you’re interested in these new capabilities, we’d love to hear your feedback.
Check out the demo below:
Flexible Playbook properties
Properties are new key-value pairs that can be added to playbook templates or ongoing incidents, allowing responders and configured automations to surface critical incident information at a glance.
Imagine a scenario where a webhook returns critical metadata about a compromised machine in a malware attack. Properties can be used to store the affected Computer DNS and IP Address so responders aren’t blocked searching for this information during an incident.
Incident metadata can be populated into properties manually or by plugins, webhooks or configured integrations and automations.
Properties can be configured at the Playbook level, so responders can preconfigure the property names and types in the template before an incident occurs. Supported property types would include strings, emails, phone numbers, URLs, dates, people and preconfigured dropdown lists.
Responders have the flexibility to reorder and pin critical properties within the run details section, or add new properties as needed while an incident is ongoing.
Automate actions on properties and tasks
Automated actions reduce manual workflows, enabling responders to mitigate threats faster with fewer errors.
Actions can be configured on specific properties in the Playbook template. During an incident an action can be executed based on conditional logic when a property value matches specific criteria. For example,
- When the Computer DNS and System User properties are populated by the Microsoft Defender alert, trigger a webhook to send the hash of the malware to VirusTotal and return the results to the incident channel.
- When a responder changes the Incident Severity property to “Sev-1”, add the on-call engineer and SecOps director to the incident channel.
Additionally, actions can be configured on specific tasks in a Playbook template. This allows responders to execute workflows in a single-click, such as inviting on-call staff to the incident channel, triggering a slash command or webhook, or posting a message.
Timeline for audit tracing
In the event an audit trail is required, the modification of incident properties and associated actions executed automatically or manually by incident responders are viewable in the run timeline view.
Dashboards for stakeholder visibility
Dashboard views displaying all ongoing or historical incidents can be useful for stakeholders to see a higher level overview of the threat landscape.
These views can be customized and filtered based on the properties applied to specific incidents, such as status, severity, or incident type.
Let us know what you think
So that’s a quick summary of the concept work in progress. Would you find value in these capabilities? We’d love to hear from you.