Skip to main content
Skip table of contents

Stage Tasks

LAST UPDATED: MARCH 21, 2025

A stage task begins a phase where all tasks up to the next stage or leaf node form a unit of investigation—updated in the incident workspace. It marks transition points, reducing the need to sift through multiple tasks when tracing playbook execution or editing workflow.

image 32 (4)-20250221-185822.png
Stage Examples by Playbook Type

EXAMPLE 1

A phishing playbook may include stages such as:

  • Email Analysis

  • IP Enrichment

  • URL Enrichment

  • Attachment Enrichment

  • Domain Enrichment

  • Threat Summary

  • User Notification

EXAMPLE 2

An insider threat investigation playbook may include stages such as:

  • Anomaly Detection

  • User Behavior Analysis

  • Data Exfiltration Analysis

  • Identity and Access Review

  • Threat Correlation and Risk Assessment

  • Incident Escalation and Stakeholder Notification

EXAMPLE 3

A cloud security breach response playbook may include stages such as:

  • Unauthorized Activity Detection

  • Asset Inventory and Exposure Assessment

  • Threat Intelligence Correlation

  • Containment and Access Restriction

  • Data Exfiltration and Integrity Check

  • Forensic Investigation and Log Analysis

  • Recovery and System Restoration

  • System Reinforcement

Stage tasks in branching workflows (2.1–2.4 in the diagram below) ensure clear organization and structured tracking, reducing task overlook and enabling efficient playbook management and communication across teams.

Stage Task.drawio (1)-20250305-211225.png
Example - Tracking the Investigation Stage

OBJECTIVE
Tracking the execution of a live multi-stage playbook in the incident workspace as stages progress and complete.

  1. Build the following playbook.

READER NOTE

  • Ensure all stage tasks are configured to auto-run.

  • Configure the first data formatter task as non-auto-run.

  • Configure the second data formatter task to auto-run.

  1. Submit this playbook.

    Frame 3-20250305-181922.png

  2. Publish this playbook to the relevant sites.

    Frame 2-20250305-180559.png

  3. Create a new incident.

    Frame 1.png

  4. Configure the incident to run the submitted playbook, then click on the + Add button.

  5. Navigate to the incident workspace of the manually created incident.

  6. Observe the current investigation stage of this incident, then open the running playbook.

    Frame 5-20250305-224417.png

    Incident Workspace UI in Earlier D3 vSOC Versions

    Frame 11.png

  7. Click on the pending interaction task.

    Frame 14-20250305-230319.png

  8. Provide an input, then click on the button.

    Frame 7.png

  9. Observe the change in investigation stage, then return to the running playbook.

    Frame 9-20250305-230925.png

    Incident Workspace UI in Earlier D3 vSOC Versions

    Frame 15-20250305-231244.png

  10. Click on the pending data formatter task.

    Frame 17-20250305-231622.png

  11. Click on the button.

    Frame 18 (1)-20250305-231919.png

  12. Verify that all tasks have run to completion.

    Frame 19-20250305-232246.png

  13. Observe the change in investigation stage.

    Frame 10.png

    Incident Workspace UI in Earlier D3 vSOC Versions

    Frame 20 (2)-20250305-232754.png

Assigning Investigation Units

Frame 21 (2).png

Non-auto-run stage tasks can be configured to require an assignee to initiate the corresponding investigation unit, with assignment based on username, role, or group. A due time may also be set to ensure compliance with SLA or business requirements.

In (submitted and running) playbooks, assigned stage tasks will appear as pending tasks.

Stage Tasks as Pending Tasks

Investigation Dashboard

Group 110.png

Incident Workspace

Group 109.png
Example 1 - Kick-Starting an Investigation Unit

OBJECTIVE

Understanding the impact of assigning an assignee by role.

  1. Ensure a Demo Investigator role is created and configured to be able to edit accessible records.

    Frame 22 (2)-20250311-021725.png

  2. Ensure that at least one user is assigned the Demo Investigator role.

    Frame 23 (1)-20250311-022018.png

  3. Create the following investigation playbook, assigning the Stage 1 (Assigned) task to users with the Demo Investigator role.

    Frame 31-20250311-022138.png

READER NOTE

  • Configure all tasks in the top execution stream to non-auto-run.

  • Configure all tasks in the bottom execution stream to auto-run.

  1. Submit this playbook.

    Frame 3-20250305-181922.png

  2. Publish this playbook to the relevant sites.

    Frame 2-20250305-180559.png

  3. Click on the Frame 29-20250311-020852.png button, configure the incident to run the submitted playbook, then click on the Frame 30-20250311-021142.png button.

    Frame 32-20250311-022420.png

  4. Navigate to the Playbooks sub-module within the incident workspace.

    Frame 33 (1)-20250311-022605.png

  5. Click on the pending Stage 1 (Assigned) task.

    Frame 24-20250311-022714.png

    • View Based on Assignment:

      • Assignees

        Frame 25-20250311-023027.png

      • Non-Assignees (with the same role)

        Frame 27-20250311-023100.png

Assignees can now track workflow progress, monitor execution, provide required inputs, document outcomes, and take actions per SOC or business requirements.

image-20250311-024116.png
Example 2 - Building and Testing a Playbook for IP Reputation Analysis

SCENARIO An analyst is building a playbook to check IP reputation, using stage tasks to organize workflow and ensure an email is sent only after the preceding stage task executes.

Group 118.png

Here is how they built the playbook:

  1. Add a stage task to the On Playbook Start trigger to mark the beginning of the IP analysis.

    add stage new.gif

  2. Name the task Begin IP Analysis, select the Auto Run checkbox, then click the Group 112.png button to save.

    Group 99.png

  3. Add a command task that can check the reputation of IP addresses (e.g., the Check IP Reputation command from VirusTotal v3) to the stage task, and configure it.

    add rep new.gif

  4. Add a stage task to the previous task to control the workflow progression.

    add another stage.gif

  5. Name the task Triage, assign it to a user, and set a due time.

    Group 113.png

  6. (Optional) Add an instruction for the assignee, then click the Group 112.png button to save the task.

    Group 114.png

  7. Add the Send Email utility command task to the previous task, and configure it.

    add send email new.gif

  8. Submit this playbook.

    Frame 3-20250305-181922.png

  9. Publish this playbook to the relevant sites.

    Frame 2-20250305-180559.png

  10. Click on the Frame 29-20250311-020852.png button, configure the incident to run the submitted playbook, then click on the Frame 30-20250311-021142.png button.

    Group 119.png

  11. Ask the assigned investigator to click the assigned stage task in the Pending Tasks Assigned to Me view on their investigation dashboard.

    Group 120.png

  12. Ask the investigator to click the Run button after performing the task stated in the Instruction section to move along the playbook execution.

    Group 121.png

RESULT

Executing the Triage task enabled the subsequent Send Email task to run. The recipient will receive the email sent by the command task, as shown in the image below.

Group 117.png
JavaScript errors detected

Please note, these errors can depend on your browser setup.

If this problem persists, please contact our support.

Contact Support Close