Viewing playbook properties

Playbooks allow you to automate workflows and reduce the time it takes to process alerts and incidents.

To view a playbook, you must have one of the following roles: Main administrator, SOC administrator, Tier 1 analyst, Tier 2 analyst, SOC manager, Approver, Auditor, Tenant administrator.

To view a playbook's properties:

1. In the main menu, go to Monitoring & reporting → Playbooks.
2. In the list of playbooks, click the name of the playbook that you want to view.

   The window that opens contains information about the playbook.

In the Playbook settings pane on the right, the following general information is displayed:

• Tenant and inheritance]. Name of the tenant to which the playbook belongs.
• Name. Name of the playbook.
• Scope. Playbook scope. Possible values: Alert or Incident.
• Operation mode. Playbook operation mode. Possible values: Auto, Training, Manual.

  If the playbook operation mode is set to Auto, the When launching several playbook instances at the same time filed is displayed. Possible values: Do not launch new playbook instances, Terminate current execution and launch a new instance, Add new playbook instances to the queue.

• Tags. Tags assigned to the playbook.
• Description. Playbook description.
• Additional settings. Optional settings specified when creating the playbook.

In the visual editor work area on the left, the playbook trigger and algorithm (playbook execution steps) are displayed.

You can edit the playbook's properties if you have one of the following roles: Main administrator, SOC administrator, Tier 1 analyst, Tier 2 analyst, Tenant administrator.

You can view the playbook response history by clicking the View response history button in the toolbar. The list of all playbooks or response actions launched within the playbook opens. You can terminate any launched playbooks or response actions by clicking the Terminate button.

If necessary, you can group and filter the data in the table as follows:

• Click the settings icon (), and then select the columns to be displayed in the table.
• Click the filter icon (), and then specify and apply the filter criterion in the invoked menu.

  When you apply the filter criterion for the Status column, the table displays the manually launched responses whose status contains the selected value and the playbooks that include response actions whose status contains the selected value. It means that only the response actions of the playbook that meet the filter criterion will be displayed.

The filtered table of playbooks is displayed.

The table contains the following columns:

• Actions. Response action name.
• Response parameters. Response action parameters that are specified in the playbook algorithm.
• Start. Date and time the playbook or response action was launched.
• End. Date and time the playbook or response action was completed.
• Alert ID or Incident ID. ID that contains a link to the alert or incident details.
• Launched by. Name of the user who launched the playbook or response action.
• Approver. Name of the user who approved the launch of the playbook or response action.

  By default, this column is hidden. To display the column, click the settings icon (), and then select the Approver column.

• Approval time. Date and time when the user confirmed or rejected the launch of the playbook or response action.

  By default, this column is hidden. To display the column, click the settings icon (), and then select the Approval time column.

• Status. Execution status of the playbook. The following values can be shown in this column:
  • Awaiting approval—Playbook awaiting approval for launch.
  • In progress—Playbook is in progress.
  • Success—Playbook is completed without errors or warnings.
  • Warning—Playbook is completed with warnings.
  • Error—Playbook is completed with errors.
  • Terminated—Playbook is completed because the user interrupted the execution.
  • Approval time expired—Playbook is completed because the approval time for the launch has expired.
  • Rejected—Playbook is completed because the user rejected the launch.

  You can click the Status value to open the window with the result of the playbook launch. The Launch ID can be used by Technical Support to download the data necessary for analysis in case of the execution errors. By default, the data is stored for 72 hours.
  If the status is In progress, you can view the Launch ID by hovering the mouse cursor over the icon next to the status.

• Assets. Number of the assets for which the playbook or response action is launched. You can click the link with the number of the assets to view the asset details. The field is empty, if the playbook or response action does not involve assets.

You can also view response history from the Response history section or from alert or incident details.

Page top