Skip to main content
Skip table of contents

‎Investigation Playbooks

LAST UPDATED: FEB 10, 2025

Investigation playbooks automate incident responses and standardize workflows to meet the unique needs of organizations. On the landing page of the Investigation Playbooks module, users can search for existing playbooks or create new ones.

Frame 165 (1)-20250121-230116.png
UI Breakdown

Playbook Search Panel

Purpose: Allows users to search, browse, and create custom investigation playbook categories.

Key Features:

  • Search Bar: Provides text-based search functionality for quick access to specific playbooks.

  • Playbook Categories: Organizes playbooks into predefined categories.

  • Custom Folders: Enables users to create and organize playbooks into custom folders.

  • Playbook Count: Displays the number of playbooks available in each category or folder.


Playbook Addition Menu (Top Left Dropdown)

image 33-20250121-003228.png

Purpose: Enables users to add new playbooks using various methods.

Key Features:

  • Manual Builder: Opens an interface for manual creation of playbooks.

  • AI Builder: Uses AI to assist in generating playbooks.

  • Import Playbook: Allows importing existing playbooks. See step 3b in Using a Template.


Playbook Listing Panel

Purpose: Displays a grid view of available playbooks within the selected category or folder.

Key Features:

  • Playbook Cards – Each playbook is represented as a card that includes:

    • Playbook Name: Clearly labeled for easy identification.

      Frame 154 (1)-20250121-011702.png
    • Task Count: Indicates the total number of tasks in the playbook.

      Frame 155 (3)-20250121-011718.png
    • Permission: Whether the user is a viewer, editor, or owner of the playbook.

      Frame 156 (4)-20250121-011732.png
    • Operational Mode and Availability Indicator: The operational mode of a current playbook—orange for mode and green for mode. The displayed number indicates how many sites this playbook has been published to.

      Frame 159 (2)-20250121-011844.png
      Frame 158 (2)-20250121-011803.png
    • Description: A summary or use case for the playbook.

      Frame 161 (5)-20250121-021018.png
      Frame 162 (4)-20250121-021818.png
  • Sorting Options: Organizes playbooks by integration, last modified time, or alphabetical order.

    Frame 160 (2)-20250121-012254.png

Playbook Library (Top Right Button)

See Playbook Library.

Life Cycle

The investigation playbook life cycle begins when an event is escalated and linked to an incident. The playbook conducts cybersecurity investigations through tasks, dynamically running response workflows and attempting resolution.

Diagram and Examples
Investigation Playbook Lifecycle.drawio-20250121-181019.png

This diagram represents a generic life cycle of an investigation playbook within an automated response process.

  1. Event Escalation: The process begins with a decision to escalate an event (e.g., phishing email), as configured in the preprocessing playbook. This can be done via the Escalate playbook task.

  2. Event-Incident Linking: Escalated events are linked to an incident, marking the start of the investigation playbook life cycle.

  3. Playbook Execution: The On Playbook Start workflow initiates a dynamic sequence of investigations and analyses, step-by-step addressing the incident.
    EXAMPLE COMMANDSFOR HANDLING PHISHING EMAILS
    - Extract Texts Matching Regular Expression (utility command)
    - Extract URLs from JSON Object (utility command)
    - Get Email Attachments (Office 365)
    - Get File Reports (VirusTotal v3)
    - Get Domain Reports (VirusTotal v3)
    - Get URL Reports (VirusTotal v3)
    - Convert JSON Array to HTML Table with Header (utility command)
    - Set Incident Fields (utility command)
    - Send Email (utility command)
    - Send Interactivity (Slack)
    - Delete Email Message (Office 365)
    - Close Incident (utility command)

Investigation Playbook Types

Built-in Investigation Playbooks

Built-in investigation playbooks are preconfigured by D3 to address common cybersecurity threats, enabling quick deployment and serving as templates for customization.
EXAMPLE

Frame 163 (2)-20250121-210424.png

A section of the Phishing playbook.

Custom Investigation Playbooks

Custom investigation playbooks are user-defined workflows used to address unique operational needs.

READER NOTE

  • See My First Playbook to create your first playbook.

  • D3 engineers assist in designing playbooks tailored to unique business requirements. Contact us today.

  • [February 2025] New AI-assisted playbook builder is under development! Stay tuned.

JavaScript errors detected

Please note, these errors can depend on your browser setup.

If this problem persists, please contact our support.