How to create a play book on Security Incident Response????

Shantharao
Kilo Sage

Hello All,

I am new to SecOps implementation and got an opportunity to configure a new Playbook in the Security Incident Response.


What are the best practices need follow?

What are the prerequisites?

How to implement a new Playbook for enriching the Security Incident Response 

any useful videos/links to learn and implement without any deviation

 any realtime practical implementation doc.

Thanks in advance.

 

 

5 REPLIES 5

Musab Rasheed
Tera Sage
Tera Sage

Hi,

Go through below two videos and try to implement the same for your module. Mark my answer as correct if that helps

https://www.youtube.com/watch?v=FU04cqUXIko

https://www.youtube.com/watch?v=iIuMxOW1HcY

Regards

Please hit like and mark my response as correct if that helps
Regards,
Musab

Can you give me latest version to create a playbook in security incident response.

Fatih Karacaer
ServiceNow Employee
ServiceNow Employee

Hi Shantarao,

Let's first clarify the term Playbook. Are you referring to a set of actions that needs to be done during a security incident. If so below are my recommendations.

1- Identify what is the trigger action for this playbook? For example, a phishing category SIR is created. Then your playbook will be executed.

2- Compile a list of actions need to be done. (Possibly on paper.)

3- Convert these actions into a process flow with logic. Depending on the outcome of the steps and processing in the flow, different steps might be executed in different order.

4- Create a Flow designer Flow based on the information you compiled in the above steps.

 

I strongly recommend you to leverage Flow Designer for this.

Flow Designer will provide you access to predefined subflows and actions within SecOps and other scoped applications. You can create automation activities or you can create manual response tasks (steps in the incident response) for the security analysts to complete.

Hope it helps!

JennyHu
Tera Guru
Tera Guru

Hi there,

This ServiceNow video hosted by the Director Product Management of Security Incident Response is useful to understand how to implement playbook for SIR:

Playbooks for Password spray, Endpoint detection, and Typo-squatted domain - Demo webinar - YouTube

There are a number of out of the box playbooks in Flow Designer you can review Security Incident Response playbooks (servicenow.com).  From there, you can get some ideas on how to create your own playbooks.

Hope this helps!

Jenny