Editor

The Editor tab on the Playbooks page is displayed by default and shows the custom playbooks that have been created for your organization. You use this page to manage and customize playbooks used by your organization.

The table on the Editor page displays the name of the playbook, description, who authored it, the date and time the playbook was last published, and actions that can be taken. One playbook must always be assigned as the default, which is assigned to new incidents when no other playbook is assigned through an automation rule.

Playbooks

Note:

When you initially open the Editor page, only the Cisco Managed Incident Playbook is displayed. This playbook is currently assigned to all new incidents. The Cisco Managed Incident Playbook cannot be edited or deleted; you can only edit or delete a duplicate copy of this playbook.

The Cisco Managed Incident Playbook is based on best practice for incident response processes, as described by the SANS Institute. It aligns to the NIST 800-61r2 model format (Preparation, Detection and Analysis, Containment, Eradication, Recovery, and Post-incident) produced by SANS Cybersecurity Training Organization. Preparation and Lessons Learned (Post-incident) have been intentionally removed from this playbook. Preparation defines the tasks that should be done prior to instituting a response process. Lessons Learned is directly related to Preparation, as the activities from Lessons Learned should be implemented into preventative and protection strategies.

From the Editor page, you can perform the following tasks:

You can view the tasks included in each playbook from the Playbook Details page.

Perform the following steps to view the tasks in a playbook:

  1. Choose Administration > Playbooks in the left navigation menu.

  2. On the Editor page, click the playbook Name to open the Playbook Details page.

    3. Playbook Details

  3. Click View Task to expand the task and view the summary, description, automation workflow assigned to it, and the observable types the task will be related to.

    4. View Task

  4. Click Collapse Task to close the task.

You can create a new playbook using the Playbook Editor. Up to 25 custom playbooks can be created per organization with one playbook always set as the default. Each phase in the playbook requires at least one task with a maximum of 12 tasks.

Note: Only users with the Administrator role are allowed to create playbooks.

Perform the following steps to create a new playbook:

  1. Choose Administration > Playbooks in the left navigation menu.

  2. On the Editor page, click Create Playbook.

  3. Enter a Name (required) and Description (optional) for the playbook.

    4. Note: If you navigate away from the form while editing, the form is automatically saved as a draft for the current browser tab only. The draft content is not available if the same session of Cisco XDR is opened in another browser tab. To restore the content, return to the form and continue with your edits or click Undo or Use draft to remove or restore the draft content.

  4. Click Continue.

    5. The Playbook Editor page is displayed. The four phases of the response playbook are displayed as tabs in the left panel (Identification, Containment, Eradication, and Recovery). Each phase requires at least one task, with a maximum of 12 tasks.

    A placeholder task is included that you can edit, or you can add your own task.

  5. Click View Task on the placeholder task to expand the task and then click Edit Task. The task opens in the Task drawer.

    6. Alternatively, click Add Task to open the Add Task drawer.

    Note: If you navigate away from the Add Task drawer while editing, the content is automatically saved as a draft for the current browser tab only. The draft content is not available if the same session of Cisco XDR is opened in another browser tab. To restore the content, return to the Add Task drawer and continue with your edits or click Undo or Use draft to remove or restore the draft content.

  6. Enter a Name for the task and Summary.
  7. In the Description text box, enter more information that fully describes the task, using the tools on the toolbar to format the text. Click the Preview tab to view the description as it will look when the task is published.
  8. Scroll to the Automate task section. Use this section to optionally include a workflow in the task. If you choose not to include a workflow, the task within the incident will include a button where the user can add a note as the response action.
  9. To include an automated workflow in the task, click the Include Workflow toggle and choose the automated workflow from the Workflow drop-down list.

    10. The Observable types the workflow is designed to run on are displayed in the lower portion of the drawer. Any of these observable types that exist in the incident are available to select for input into the response task workflow.

  10. Continue adding up to 12 tasks, as needed, for each response phase.
    • To rearrange the tasks on the page, click the (Grabber) icon and drag the task to the desired position.
    • To delete a task, click Remove.
    • To view the task, click View Task to expand it; click Collapse Task to display only the task name and short description.
  11. When you have completed adding tasks, click Publish Playbook.
  12. On the Confirm Publish Playbook dialog box, click Publish.

Note: Playbook content does not get updated in incidents that already have a playbook assigned to it. A new playbook can only be assigned to incidents that are created after the playbook has been published, either by setting the new playbook as a default playbook or creating an assignment rule to assign the playbook to a new incident when certain conditions are met.

Use the Edit feature to modify the tasks in a playbook. Each phase in the playbook can include up to 12 tasks.

Note: Only users with the Administrator role are allowed to edit playbooks.

Perform the following steps to edit a playbook:

  1. Choose Administration > Playbooks in the left navigation menu.

  2. On the Editor page, click the playbook Name to open the Playbook Details page.

  3. Click Edit Playbook to enable editing mode.

    4. Playbook Edit Mode

    Note: If you navigate away from the Playbook Details page while editing the description or task, the content is automatically saved as a draft for the current browser tab only. The draft content is not available if the same session of Cisco XDR is opened in another browser tab. To restore the content, return to the content and continue with your edits or click Undo or Use draft to remove or restore the draft content.

  4. To edit the playbook name or description, hover over the text and click the (Edit) icon and enter a new name and description for the playbook.
  5. To edit a task, click View Task to expand the task and then click Edit Task. The task opens in the Task drawer.

    6. To add a new task, click Add Task to open the Add Task drawer.

  6. Enter a Name for the task and Summary.
  7. In the Description text box, enter more information that fully describes the task, using the tools on the toolbar to format the text. Click Preview to view the description as it will look when the task is published.
  8. Scroll to the Automate task section. Use this section to include a workflow in the task. If you choose not to include a workflow, the task will include a button where the user can add a note as the response action for the task.
  9. To include an automated workflow in the task, click the Include Workflow toggle and choose the automated workflow from the Workflow drop-down list.

    10. The Observable types the workflow is designed to run on are displayed in the lower portion of the drawer for reference. Any of these observable types that exist in the incident are available to select for input into the response task workflow.

  10. Continue editing tasks or adding tasks (up to 12 tasks), as needed, for each response phase.
    • To rearrange the tasks on the page, click the (Grabber) icon and drag the task to the desired position.
    • To delete a task, click Remove.
    • To view the task, click View Task to expand it; click Collapse Task to display only the task name and short description.
  11. When you have completed editing the playbook, click Publish Playbook.
  12. On the Confirm Publish Playbook dialog box, click Publish.

Note: Playbook content does not get updated in incidents that already have this playbook assigned to it. Changes to a playbook only apply to new incidents that are created after the updated playbook has been published.

You can copy an existing playbook and modify the name, description, and tasks to customize it for your organization. You may want to use this option when you want to reuse some of the content in an existing playbook instead of creating a completely new playbook.

To create a duplicate copy of a playbook, click the (Ellipsis) icon in the Actions column for the playbook and choose Duplicate from the drop-down menu. A copy of the playbook is added to the Editor page with Copy appended to the playbook name.

Click the newly copied playbook name to open the Playbook Details page and customize it. See Edit a Playbook for instructions.

Note: Only users with the Administrator role are allowed to duplicate playbooks. Up to 25 custom playbooks can be created per organization with one playbook always set as the default. Each phase in the playbook can include up to 12 tasks.

There must always be one playbook specified as the default. Initially the Cisco Managed Incident Playbook is set as the default. Whenever, an incident does not match the conditions in an assignment rule, the default playbook is assigned to the incident.

To specify the default playbook, click the (Ellipsis) icon in the Actions column for the playbook and choose Set as Default from the drop-down menu. The Default chip is displayed next to the playbook name.

You can delete any custom playbook as long as it's not set as the default playbook (the Cisco Managed Incident Playbook cannot be deleted).

To delete a playbook, click the (Ellipsis) icon in the Actions column for the playbook and choose Delete from the drop-down menu. Click Delete on the confirmation dialog box.

Note: The Actions menu does not include the Delete option for the Cisco Managed Incident Playbook or the playbook that is set as the default.