How to create a play book on Security Incident Response????

Shantharao
Kilo Sage

Hello All,

I am new to SecOps implementation and got an opportunity to configure a new Playbook in the Security Incident Response.


What are the best practices need follow?

What are the prerequisites?

How to implement a new Playbook for enriching the Security Incident Response 

any useful videos/links to learn and implement without any deviation

 any realtime practical implementation doc.

Thanks in advance.

 

 

5 REPLIES 5

VaranAwesomenow
Mega Sage

What are the best practices need follow?

A1: The best practices for creating playbooks include ensuring user-friendly process visualization and providing step-by-step guidance for resolving processes. Playbooks should help users visualize the entire lifecycle of a workflow and be created within the Process Automation Designer (PAD). It is important to use the flow designer for extensible workflow automation, giving security teams more control and autonomy while reducing reliance on the platform team. Additionally, playbooks should be designed to automatically or manually invoke actions based on predefined conditions, and they should be able to run in parallel to existing playbooks if necessary. The playbook experience should be visible only if at least one playbook is associated with a security incident, and it should be configured to add multiple entry points, parent table records, and child table records to the investigation canvas. Furthermore, converting old playbook flows to PAD flows using the wrapper process generator tool ensures compatibility with the Security Incident Response (SIR) workspace. Finally, incorporating knowledge articles or runbooks related to playbook records can fill gaps in task-specific directions, providing additional guidance for analysts.

 

What are the prerequisites?
A2: To create a playbook, several prerequisites must be met. First, the playbook must be associated with a security incident, and it will only be visible if at least one playbook is linked to the incident. The playbook component works exclusively for processes built using the Process Automation Designer (PAD) and not for those created with Flow Designer. If there is already an existing playbook, any new playbooks added will run in parallel to the existing ones. Additionally, to invoke a playbook automatically, a process must be defined using PAD, and once the trigger condition is met, the playbook activities will be displayed. Alternatively, playbooks can be manually invoked from the UI action drop-down by selecting the option to manually invoke the playbook.

How to implement a new Playbook for enriching the Security Incident Response 

A3: 

To implement a new playbook for enriching the Security Incident Response, follow these steps:

1. **Define the Process Using PAD (Process Automation Designer)**: Create a process definition using PAD. This involves defining the stages and activities that will be part of the playbook. The activities can include tasks such as creating block requests, deleting emails, getting observables, enriching observables, resetting passwords, running a playbook, running sighting searches, and searching emails.

2. **Invoke the Playbook**: You can invoke the playbook either automatically or manually. To invoke it automatically, define a trigger condition in PAD. Once the trigger condition is met, the playbook activities will be displayed. To invoke the playbook manually, use the UI action drop-down and select "manually invoke playbook."

3. **Add Playbook UI Action**: Use the "Add playbook action" to add playbooks to a security incident even if they do not match the trigger conditions, provided the selected playbooks are not in a running state.

4. **Convert Old Playbook Flows to PAD Flows**: If you have existing playbook flows created using Flow Designer, you can convert them to PAD flows using the wrapper process generator tool. This involves selecting the flows, stages, and generating the process. Verify the trigger conditions, mapping, and ensure that the activities are correctly placed in the lanes.

5. **Configure Playbook Experience**: Ensure that the playbook experience is configured to work within the Security Incident Response workspace. This involves setting up the framework steps, adding common runtime inputs, and specific runtime inputs against each implementation.

6. **Integrate with Security Products or MSSP**: Utilize integrations with third-party monitoring tools such as Splunk to automatically react to notifications created from Splunk events, alerts, and logs. This can drive the response process by assigning manual tasks for analysis or automatically addressing events using workflows or orchestration activities.

By following these steps, you can effectively implement a new playbook for enriching the Security Incident Response, ensuring a streamlined and automated process for handling security incidents.

 

any realtime practical implementation doc.

You can refer to now create content for Security Incident Response and Threat Intelligence - Process Guide