Playbook designer and custom playbooks

A playbook designer customizes the playbook in the SOAR Platform so that it implements the group’s response plan.

The SOAR Platform provides various tools to help you design and implement your playbook. The coordinated application of all of these features make playbooks a powerful tool for accelerating the execution of methodical incident responses processes and remediation of incidents.

IBM Security® recommends the following approach when you design a playbook.
  1. Categorize your events. Use the Incident Type feature to organize your events into categories.
  2. Map your response progression. Use the Phases features.
  3. Define your manual intervention responses. Use the Tasks feature.
  4. Design the “look and feel,” including how you want to organize your data. Use the Incident Layouts, Fields, and Data Tables features.
  5. Define your decision-making process. Use the Playbook designer graphic tool, or use Rules and Workflows. Scripts can be used with either.
  6. Automate information gathering, decision making, and responses. Use Threat Services, Functions, and apps.
  7. Test your playbook. Use the Simulations feature.

The following sections take a closer look at each major feature that you use to design your playbook.

Designing incident types

Review your organization’s policies for responding to events and determine the basic categories of events.

As a simple example, you can have three categories: Malware, Intrusion, and Loss of Personal Information. You can create an incident type for each category.

You can also create subcategories by creating a parent incident type with child incident types. For example, you can have three subcategories of Loss of Personal Information, such as Executive, HR, and Other.

Organizing tasks using phases

The SOAR playbook designer can use phases to define each stage of an incident response, essentially capturing the general intent of the response action.

The phases feature logically and visually organizes tasks. For example, you can define the following phases in an incident response plan: Initial, Engage, Decision: Escalate or Mobilize, Containment, Remediate, and Complete.

Each phase has its own list of tasks. Tasks in the next phase are not shown until the phase completes. You can also define the order of the tasks in each phase so that the tasks can be acted on sequentially. When completed, the playbook moves to the next phase and assigns its list of tasks. Based on data from each task, you can choose to enable or disable future tasks automatically.

In addition to assigning tasks in a timely manner, the phases features also helps leadership and management identify the current work state of the incident.

Defining incident tasks

The SOAR playbook designer defines all of the tasks that might need to be completed by users, such as an analyst or incident responder. Tasks can be in the form of a set of instructions or advisories.

If you are using rules, a task can also take the form of an action that a responder selects. When the responder finishes the task, it can be marked and recorded as completed.

As you define the tasks, keep in mind your organization’s policies as to responding to a particular situation. Keep the tasks specific and repeatable to the incident or situation at hand.

SOAR data fields and data tables

An incident is focused on data that you capture and control, which is surrounded by related events and the business context.

You can use fields as data capture points for analysis review and to produce metrics. They specifically support SOAR features such as incident response actions, reports, list incident views, and analytics dashboards. Keep fields distinct, specific, and purposeful.

Data tables are useful for structured “master-detail” data that is observed and managed in an incident. Data can include a list of affected users with their roles and contact details, and compromised systems with their business function, network zone, office locations, and resources. They are often used with functions and apps, where the information is populated from another security program.

Depending on the app, users might be able to initiate an action in the remote security program directly from a row in the data table.

Playbooks and decision-making process

The playbook is the basis of the decision-making process. Based on the input, a playbook determines which process to implement, including which tasks to bring into the incident.

You can use one of two methods to create your playbook, Playbook designer tool or rules and workflow, which is further described in How SOAR playbooks are used.

You can use the Playbook designer graphic tool for the following purposes.
  • Set the conditions that start the playbook; for example, an incident is created.
  • Determine which tasks are assigned and at what point in the process.
  • Add Python scripts to customize incidents, retrieve information on incidents and other object types, and add objects, such as tasks notes, and a row in a data table. A script can modify or act on only the object that triggered the script’s rule or its parent object.
  • Add apps in the form of functions to process data and return the results.

Rules and workflows together provide a similar decision-making process with more flexibility. For example, you can use rules to define more advanced conditions and display an action in a designated object’s Actions list, which the user can select as needed.

Ideally, design your playbook by using Playbook designer when possible, and use rules and workflows to address use cases not supported by the Playbook designer.

Automation and external programs

External programs can be in the form of apps, plug-ins, or threat services.

You can use various apps to integrate your SOAR Platform with security applications in your environment. The apps typically provide playbook components such as functions, workflows, rules, message destinations and more. You might need to customize these components to meet your playbook requirements.

Plug-ins allow for a tighter integration than is possible with an app.

Threat services automatically provide additional information to an incident when an artifact is found. This information is found in the Artifact tab of the specific incident. When installed, threat services are enabled by the system administrator.

Various apps, plug-ins, and threat services are available for you to add to your playbook. The apps can be found in the IBM Security App Exchange. You must have an account to download these apps. The ones that you use depend on your use case and your specific security requirements.

More information on playbooks

To design and create a playbook, review the Playbook Designer Guide, which provides all the information that you need to design a playbook.

Refer to the SOAR Playbook designer for information about designing and creating playbooks.

To install apps, see the System Administrator Guide, available in System Administrator Guide. See the App Host Deployment Guide, available in SOAR Apps and App Host to create an App Host.

The IBM Security App Exchange provides a number of apps that you can download and deploy to your SOAR Platform.