My First Playbook

LAST UPDATED: JAN 8, 2025

In D3, playbooks provide a structured and automated approach to handling security incidents, ensuring workflow consistency, efficiency, and reliability. An incident playbook (now investigation playbook) is one that is used for automating the analysis and response of incidents.

Building the Playbook

1. Navigate to the Incident Playbooks module.

   

2. Click on the + Playbook button.

   

3. Set up the incident playbook via the New Playbook popup.

   

   1. Enter a playbook name.

   2. Click on the OK button.

4. Drag a Send Email command task onto the header branch of the initial playbook node.

   

   1. Click on the Command item within the task menu.

   2. Click on the Utility Commands tab within the popup.

   3. Type in Send Email within the search field, then press the Enter key.

   4. Drag the Send Email command onto the header branch of the playbook node.

5. Assign a display name to the command.

   

   1. Enter the name to be displayed on the command node after the configuration popup is closed.

   2. Click on the button.

   3. Observe the node’s name change (in this case from "New Command Task 97" to "Send Email").

      

6. Click back into the Send Email node, then click on the View Sample Data button.

   

   This popup displays the sample data formats for the inputs and outputs of this command task.

7. Provide a valid email address within the first input parameter field, and enter a sample subject line and email body for the second and third input parameters.

   

How to input dynamic values?

In playbook workflows, values are often dynamic. Instead of manually entering text in the Email Body field, users can use the icon located at the right end of the field to select from available properties.

---

Testable (default)

1. Click on the icon.

2. Click on the icon.

3. Expand the field of interest.

4. Expand the nested field of interest.

5. Select the exact field of interest.

6. Click on the Generate button.

7. Exit the Format Builder popup.

   

8. Ensure a placeholder has been inserted.

9. Click on the Save button.

Combined

1. Click on the icon.

2. Click on the + Insert Input Field button.

3. Provide a descriptive name (of only letters and numbers, beginning with a letter) for the type of dynamic data to be retrieved.

4. Click on the Add button.

5. Click on the relevant incident property.

6. Click on the Finish button.

7. Ensure a placeholder has been inserted.

8. Click on the Save button after customizing the Email Body.

8. Ensure that the Auto Run checkbox beneath the last input parameter is selected.

   

9. Click on the button to save the task configurations.

SUCCESS

This incident playbook is now ready to be linked to event playbooks (i.e. preprocessing playbooks).

Testing the Playbook

1. Click on the Test Playbook button.

   

2. Click on the Run Test button within the popup.

   

3. Access the email account specified in the To Addresses parameter to verify that the email was received.