Example of a playbook
- All the tasks, script, and function were created previously.
- Activation type is Automatic.
- Object type is Incident.
- Condition is Incident is created.
- Incident type is equal to Phishing.
The playbook is started when an incident is created.
The two Investigate tasks are activated. Users enter data in the task fields and mark the task as completed. Both tasks must be completed by users before the Classify Case task is activated.
A user enters data in the Classify Case task fields and marks the task as completed, which activates the next task.
A user follows the instructions in the Block Malicious IPs and URLs task fields and marks the task as completed.
The function is started and sends data to a remote app, which sends email. When completed, the app returns the results, which are sent to a script and a task.
The script accesses the function's results and determines whether to add a SOC manager to the case.
A user follows the instructions in the Post-incident review task and marks the task as complete.
The playbook ends when the script completes and the task is marked as completed.