Playbooks
Playbooks are used to guide incident response to effectively identify, contain, and eradicate the threat, and then restore systems to recover from the threat. The playbooks include a collection of tasks for all phases of incident response and the ability to document findings throughout the incident response process. Some tasks include workflows to automate part of the response tasks.
The Playbooks page displays all the custom playbooks and assignment rules that have been created for your organization. From this page, you can manage and customize incident response playbooks and the rules used to assign them to incidents.
To access the Playbooks page, choose Administration > Playbooks in the navigation menu.

When you initially open Playbooks in the navigation menu, the Playbooks tab is displayed by default. You use this tab to manage and customize playbooks used by your organization.
Initially, only the Cisco Managed Incident Playbook is displayed and is designated as the Default playbook, which is assigned to all new incidents until a new default playbook is designated or assignment rules are created that assigns a different playbook to new incidents. This playbook is also Read-only, which means you cannot modify or delete it. However, you can duplicate it to use as a template to create new playbooks.
Using Playbooks, you can view the playbook details, create a new playbook, edit a playbook, duplicate a playbook and customize it, specify which playbook is used by default, and delete a playbook (other than the Cisco Managed Incident Playbook; this playbook cannot be deleted).
The table in the Playbooks tab displays the name of the playbook, description, who authored it, the date and time the playbook was last published, and actions that can be taken. One playbook must always be assigned as the default, which is visible for all incidents when no other playbook is assigned.
Note: Once a playbook is assigned to an incident, the assignment for the incident cannot be changed, even if the playbook is edited.
See the Playbooks List topic for more information.

The Tasks tab allows you to create tasks to assign to playbooks for all phases of incident response and it may include workflows to automate part of the response tasks.
The Cisco managed tasks displayed are assigned to the Cisco Managed Incident Playbook by default. You cannot modify or delete Cisco managed tasks. However, you can duplicate them to use as a template to create new tasks.
From the Tasks tab, you can view the task details, create a new task, edit a task, duplicate a task and customize it, and delete a custom task.
See the Tasks topic for more information.

The Assignment Rules tab allows you to create rules to assign playbooks to new incidents. When an incident is created that matches the conditions of a rule, the associated playbook is assigned to the incident, causing it to be displayed on the Response page in Incidents. For example, if an incident contains certain MITRE tactics, and a rule contains these tactics as conditions, the associated playbook would be assigned to that incident. If the incident does not match any of the conditions in a rule, the default Cisco Managed Incident Playbook is assigned to the incident.
From the Assignment Rules tab, you can create, edit, reorder, enable and disable, and delete assignment rules.
See the Assignment Rules topic for more information.