‎Investigation Playbooks

Playbook Search Panel

Purpose: Allows users to search, browse, and create custom investigation playbook categories.

Key Features:

• Search Bar: Provides text-based search functionality for quick access to specific playbooks.

• Playbook Categories: Organizes playbooks into predefined categories.

• Custom Folders: Enables users to create and organize playbooks into custom folders.

  

• Playbook Count: Displays the number of playbooks available in each category or folder.

Playbook Addition Menu (Top Left Dropdown)

Purpose: Enables users to add new playbooks using various methods.

Key Features:

• Manual Builder: Opens an interface for manual creation of playbooks.

  

• AI Builder: Uses AI to assist in generating playbooks.

  

• Import Playbook: Allows importing existing playbooks. See step 3b in Using a Template.

  

Playbook Listing Panel

Purpose: Displays a grid view of available playbooks within the selected category or folder.

Key Features:

• Playbook Cards – Each playbook is represented as a card that includes:

  • Playbook Name: Clearly labeled for easy identification.

    

  • Task Count: Indicates the total number of tasks in the playbook.

    

  • Permission: Whether the user is a viewer, editor, or owner of the playbook.

    

  • Operational Mode and Availability Indicator: The operational mode of a current playbook—orange for mode and green for mode. The displayed number indicates how many sites this playbook has been published to.

    

    

  • Description: A summary or use case for the playbook.

    

    

• Sorting Options: Organizes playbooks by integration, last modified time, or alphabetical order.

  

Playbook Library (Top Right Button)

See Playbook Library.

This diagram represents a generic life cycle of an investigation playbook within an automated response process.

1. Event Escalation: The process begins with a decision to escalate an event (e.g., phishing email), as configured in the preprocessing playbook. This can be done via the Escalate playbook task.

2. Event-Incident Linking: Escalated events are linked to an incident, marking the start of the investigation playbook life cycle.

3. Playbook Execution: The On Playbook Start workflow initiates a dynamic sequence of investigations and analyses, step-by-step addressing the incident.
   EXAMPLE COMMANDSFOR HANDLING PHISHING EMAILS
   - Extract Texts Matching Regular Expression (utility command)
   - Extract URLs from JSON Object (utility command)
   - Get Email Attachments (Office 365)
   - Get File Reports (VirusTotal v3)
   - Get Domain Reports (VirusTotal v3)
   - Get URL Reports (VirusTotal v3)
   - Convert JSON Array to HTML Table with Header (utility command)
   - Set Incident Fields (utility command)
   - Send Email (utility command)
   - Send Interactivity (Slack)
   - Delete Email Message (Office 365)
   - Close Incident (utility command)