Playbooks

Playbooks are used to guide incident response to effectively identify, contain, and eradicate the threat, and then restore systems to recover from the threat. The playbooks include a collection of tasks for all phases of incident response and the ability to document findings throughout the incident response process. Some tasks include workflows to automate part of the response tasks.

The Playbooks page displays all the custom playbooks and assignment rules that have been created for your organization. From this page, you can manage and customize incident response playbooks and the rules used to assign them to incidents.

To access the Playbooks page, choose Administration > Playbooks in the navigation menu.

Playbooks

When you initially open Playbooks in the navigation menu, the Editor tab is displayed by default. You use this page to manage and customize playbooks used by your organization.

Initially, only the Cisco Managed Incident Playbook is displayed and is designated as the Default playbook, which is assigned to all new incidents until a new default playbook is designated or assignment rules are created that assigns a different playbook to new incidents. This playbook is also Read-only, which means you cannot modify or delete it. However, you can duplicate it to use as a template to create new playbooks.

Using the playbook Editor, you can view the playbook details, create a new playbook, edit a playbook, duplicate a playbook and customize it, specify which playbook is used by default, and delete a playbook (other than the Cisco Managed Incident Playbook; this playbook cannot be deleted).

The table on the Editor page displays the name of the playbook, description, who authored it, the date and time the playbook was last published, and actions that can be taken. One playbook must always be assigned as the default, which is visible for all incidents when no other playbook is assigned.

Note: Once a playbook is assigned to an incident, the assignment for the incident cannot be changed, even if the playbook is edited.

See the Playbook Editor topic for more information.

The Assignment Rules feature allows you to create rules to assign playbooks to new incidents. When an incident is created that matches the conditions of a rule, the associated playbook is assigned to the incident, causing it to be displayed on the Response page in Incidents. For example, if an incident contains certain MITRE tactics, and a rule contains these tactics as conditions, the associated playbook would be assigned to that incident. If the incident does not match any of the conditions in a rule, the default Cisco Managed Incident Playbook is assigned to the incident.

From the Assignment Rules page, you can create, edit, reorder, enable and disable, and delete assignment rules.

See the Playbook Assignment Rules topic for more information.