Example of a playbook

This example shows a phishing playbook that runs when a phishing incident is created.

The following is an example of a phishing playbook.

The prerequisites for this playbook are as follows:
  • All the tasks, script and function were created previously.
  • Object type is Incident.
  • Condition is Incident is created.
  • Incident type is equal to Phishing.

Phishing playbook

The playbook is invoked when an incident is created.

The two Investigate tasks are activated. Users enter data in the task fields and mark the task as completed. Both tasks must be completed by users before the Classify Case task is activated.

A user enters data in the Classify Case task fields and marks the task as completed, which activates the next task.

A user performs the instructions in the Block Malicious IPs and URLs task fields and marks the task as completed.

The function is invoked and sends data to a remote app, which sends email. When completed, the app returns the results, which are sent to a script and a task.

The script access the function's results and determines whether to add a SOC manager to the case.

A user performs the instructions in the Post-incident review task and marks the task as compete.

When the script completes and the task is marked as completed, the playbook ends.