Playbooks
此内容尚未提供中文翻译。
The Playbooks page provides management of automated response workflows. Each playbook defines trigger conditions and a sequence of configurable steps that execute when conditions are met.
Playbook Structure
Trigger Conditions
Each playbook has trigger conditions that determine when it activates:
- Alert severity — Trigger on CRITICAL, HIGH, or specific severity levels
- Alert type — Match specific detection rule categories
- Source — Filter by log source or connector
- Custom conditions — JSON-based condition matching
Steps
Each playbook contains ordered steps with:
- Step name — Descriptive action name
- Action type — The type of action to perform
- Configuration — Key-value parameters for the action (displayed as badges below each step)
Example step configurations:
channel: #security-alerts,severity_filter: critical,high(Slack notification)duration: 24h,scope: network(Host isolation)hash_types: sha256,md5,submit_to: sandbox(Malware analysis)
Built-in Playbooks (12)
| Playbook | Trigger |
|---|---|
| Ransomware Response | File encryption patterns detected |
| Brute Force Response | 10+ failed logins in 5 minutes |
| Phishing Response | Malicious email detected |
| Credential Compromise | Impossible travel or leaked credentials |
| Lateral Movement | Unusual RDP/SMB/WinRM between hosts |
| Data Exfiltration | Unusual outbound data volume |
| Insider Threat | Abnormal data access patterns |
| Spoofing Detection | ARP/DNS/IP spoofing detected |
| DDoS Mitigation | Traffic exceeds 5x baseline |
| APT Response | Multiple ATT&CK techniques from same source |
| Threat Intel Alert | IOC match found in environment |
| Malware Containment | EDR/AV malware detection |
Execution History
Each playbook shows its 5 most recent executions with:
- Status: Running, Completed, Failed
- Started At: Execution timestamp
- Duration: Total execution time
- Trigger Context: What triggered the execution
- Step Results: Per-step success/failure details
Testing
Use the Test button to dry-run a playbook against a specific alert without triggering real actions. This validates trigger conditions and step logic.
Custom Playbooks
PRO and CUSTOM tier customers can create custom playbooks:
- Click Create Playbook
- Define trigger conditions
- Add steps with action types and configurations
- Enable the playbook
- Test against a sample alert
Access Requirements
Playbooks require the Respond (MDR) tier or above.
For detailed playbook descriptions, see SOAR Playbooks.