Dynamic Playbook Branching Using AI

I’m currently working on a Proof of Concept (POC) to use Now Assist within Security Incident Response (SIR) to enable AI‑driven dynamic playbook branching during security incident handling.

Objective

To leverage Now Assist so that the SIR playbook can adapt in real time based on AI evaluation of evolving security incident data. The goal is to:

• Dynamically determine the correct playbook branch
• Skip irrelevant investigation steps
• Trigger specialized sub‑playbooks (e.g., malware, phishing, endpoint compromise)
• Continuously reassess decisions as new evidence or indicators appear

Use Case Summary

Dynamic Playbook Branching Using AI in SIR

The idea is that during the execution of a security incident playbook, AI evaluates live data—including security-related fields, enrichment results, threat intel, artifacts, observables, comments, and attachments—and then guides the workflow down the most relevant remediation path.

Examples:

• If AI detects IOCs related to phishing (malicious URLs, spoofed domains), it branches into the phishing-specific investigation playbook.
• If logs or enrichment identify malware behavior, AI triggers the malware analysis sub‑playbook automatically.
• If new threat intel updates the incident classification mid-process, the AI reassesses and adjusts the playbook flow accordingly.

Why we need?

Security incidents evolve rapidly, and static branching conditions don’t always reflect real-world scenarios. With AI:

• Branch selection becomes context-aware
• Repetitive or irrelevant steps can be skipped
• Triage time reduces significantly
• Analysts get guided toward targeted investigative actions

Would really appreciate any insights or implementation examples from others who have tried something similar in Security Incident Response.

Thanks in advance!