Use the Repeat Detection playbook

  • 릴리스 버전: Australia
  • 업데이트 날짜 2026년 03월 12일
  • 소요 시간: 4분

    • Use this playbook to investigate if the incident response has been provided on an exact or similar phishing report in the past and automatically works on the new report similarly. The following steps give you a walkthrough of the actions, tasks, and subflows that are available in the Repeat Detection playbook.

    시작하기 전에

    Role required:
    • sn_si.admin
    • flow_designer

    프로시저

    1. When the playbook is triggered and starts executing, in Action 1, the playbook retrieves the relative date of the security incident using the day configuration.
    2. In Action 2, the playbook looks up the Task Observable records on the table sn_ti_m2m_task_observable that match the incident based on the Message ID.
      그림 1. Repeat Detection playbook
      Look up task observable records based on Message ID.
    3. In Action 3, the playbook compares the Task Observables and Email body using the Levenshtein algorithm for incidents that matched the Message ID.
    4. In Action 4, based on the investigation done so far, the playbook checks whether the matching incident is found based on the Message ID or not.
      In Action 5, if the matching incident is found, the playbook automatically updates the worknote that a match has been found based on the automation for Repeat Detection. In Action 6, the flow ends.
    5. If the matching incident is not found, then in Action 7, the playbook looks up the Task Observable records on the table sn_ti_m2m_task_observable that match the incident based on the Subject.
    6. In Action 8, the playbook compares the Task Observables and Email body using the Levenshtein algorithm for incidents that matched the Subject.
    7. In Action 9, the playbook checks whether the matching incident is found or not.
      In Action 10, if the matching incident is found, the playbook automatically updates the worknote that a match has been found based on the automation for Repeat Detection. In Action 11, the flow ends.
      그림 2. Matching incident
      When the matching incident is found, the worknotes is updated.
    8. In Action 12, the playbook looks up the Task Observable records on the table sn_ti_m2m_task_observable that match the incident based on the Address.
    9. In Action 13, the playbook compares the Task Observables and Email body using the Levenshtein algorithm for incidents that matched the Address.
    10. In Action 14, the playbook checks whether the matching incident is found based on the Address or not.
      In Action 15, if the matching incident is found, the playbook automatically updates the worknote that a match has been found based on the automation for Repeat Detection. In Action 16, the flow ends.