Set up the Repeat Detection playbook

  • Release version: Washingtondc
  • Updated February 2, 2024
  • 1 minute to read

    • Use the following steps to set up the Repeat Detection playbook.

    Before you begin

    Role required:
    • sn_si.admin
    • flow_designer
    Make sure you have installed Security Operations Spoke (sn_sec_spoke). You have an option to modify the following system properties:
    • sn_sec_spoke.similarphish.earlyterminationscore
    • sn_sec_spoke.similarphish.lookbackdays
    • sn_sec_spoke.similarphish.maxcomparisonsize
    • sn_sec_spoke.similarphish.minmatchscore

    Procedure

    1. Login as a user with sn_si.user and flow_designer roles.
    2. Navigate to All > Flow Designer and select the Repeat Detection playbook.
    3. Optional: You can create a copy of the Repeat Detection playbook flow and make the necessary modifications.
      To create a copy of the playbook's flow, click the More actions menu icon and select Copy flow. Perform this step only if you plan to customize or make specific changes to the flow.
      Figure 1. Repeat Detection playbook
      Overview of the Repeat Detection playbook
    4. Activate the playbooks.
      • Activate the main flow to use the playbook available in the base system.
      • Activate the copied flows after making the required changes.
    5. Set a Trigger Condition for the playbook.

      This playbook is triggered when the Security Incident is not empty.

      Trigger condition for Repeat Detection playbook.