How to create a play book on Security Incident Response????
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
05-05-2022 03:09 AM
Hello All,
I am new to SecOps implementation and got an opportunity to configure a new Playbook in the Security Incident Response.
What are the best practices need follow?
What are the prerequisites?
How to implement a new Playbook for enriching the Security Incident Response
any useful videos/links to learn and implement without any deviation
any realtime practical implementation doc.
Thanks in advance.
- Labels:
-
Security Incident Response

- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
05-05-2022 04:20 AM
Hi,
Go through below two videos and try to implement the same for your module. Mark my answer as correct if that helps
https://www.youtube.com/watch?v=FU04cqUXIko
https://www.youtube.com/watch?v=iIuMxOW1HcY
Regards
Regards,
Musab
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
03-31-2025 11:29 PM
Can you give me latest version to create a playbook in security incident response.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
05-05-2022 08:13 AM
Hi Shantarao,
Let's first clarify the term Playbook. Are you referring to a set of actions that needs to be done during a security incident. If so below are my recommendations.
1- Identify what is the trigger action for this playbook? For example, a phishing category SIR is created. Then your playbook will be executed.
2- Compile a list of actions need to be done. (Possibly on paper.)
3- Convert these actions into a process flow with logic. Depending on the outcome of the steps and processing in the flow, different steps might be executed in different order.
4- Create a Flow designer Flow based on the information you compiled in the above steps.
I strongly recommend you to leverage Flow Designer for this.
Flow Designer will provide you access to predefined subflows and actions within SecOps and other scoped applications. You can create automation activities or you can create manual response tasks (steps in the incident response) for the security analysts to complete.
Hope it helps!
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
05-13-2022 08:35 PM
Hi there,
This ServiceNow video hosted by the Director Product Management of Security Incident Response is useful to understand how to implement playbook for SIR:
Playbooks for Password spray, Endpoint detection, and Typo-squatted domain - Demo webinar - YouTube
There are a number of out of the box playbooks in Flow Designer you can review Security Incident Response playbooks (servicenow.com). From there, you can get some ideas on how to create your own playbooks.
Hope this helps!
Jenny