Is there more information on Playbooks?

cbester · ‎09-18-2018

For example, can we create our own? Can we edit them?

Jon Williams · ‎09-18-2018

Hi cbester,

To answer both of your questions, yes you can both create new ones as well as edit them. Expanding on that, it is a matter of understanding how the Playbooks work, and the relationship of Runbooks, Knowledge Base Articles and Workflows that are required to create them.

Runbooks are used to create an association between published Knowledge Base Articles and Security Incident Response Task. This allows you to implement your needed Playbook in ServiceNow by first creating separate KB articles for each of the required tasks in the Playbook. Using the KB articles for your Playbooks tasks also gives you the enhanced ability to create and present concise, descriptive tasks for your analysts.

Once you've created the KB articles you can then create a Runbook. This is where you will set criteria for which Response Tasks should have a specific KB article attached to them (i.e. - "short description" "contains" "Run Malware Scan"). When a new Response Task is created if the criteria in the Runbook matches it will attach the KB article you have chosen for that task.

The Playbook itself will be ran from a workflow that you've created to handle the specific type of Security Incident. For instance if you created a workflow that handles Phishing type incidents it would include in it all the Response Tasks from your Playbook to handle those incidents. Then when a new Security Incident is generated and your "Phishing Playbook" workflow is triggered it would begin generating the Response Tasks contained in the workflow and as they are generated the Runbooks would associate the specific KB article for each task. The Playbook Name which you would see is pulled from the "Category" field of the new Security Incident. It's also good to know that if you want to you can reuse Response Tasks in other workflows and the Runbook will still create the association so you don't need to recreate the KB article.

A little long-winded but I hope this answers your question. I've also attached below a flow diagram to help understand the process.

cbester · ‎10-26-2018

I have more questions - where would I go to change how the new interface works? For example, if I have a response task on an incident, opened with the new interface, there's a "Mark as Completed" button. If I click on it, the form hangs, and if I close it and reopen the task, I get a message that I need to enter work notes. I'd like to be able to check the script that's running there, so that I can get that working.

Also, if I open a response task from the new interface, and select an assignment group, the assigned to field isn't filtered to just show people in the group. I'm not sure where I can go to fix that. If I look at the response task form itself, there is a dictionary override on the field, it just doesn't seem to apply on the new UI.

cbester · ‎09-19-2018

Thanks for the info! This is just what I was looking for!

Jon Williams · ‎09-19-2018

Great! I'm glad to hear I could help.