Skip to content
English
Sign in
Contact us
  • There are no suggestions because the search field is empty.

Cydarm playbook library

This article provides examples of playbooks which you can install into your Cydarm instance.

Overview

Playbooks are a great way to embed your operational processes within Cydarm.

A set of sample playbooks for you to use can be downloaded here: Cydarm playbooks

Playbook details

Name Description
Advanced Persistent Threat (P01) An Advanced, Persistent Threat (APT) is a threat group that has significant technical and operational capability, typically is well funded, and is prepared expend significant time and effort to achieve its objectives. They will have clearly defined objectives and strategies. They could be foreign intelligence, state affiliated groups tasked by foreign states, or sophisticated organised crime groups. 
High Risk, Actively Exploited Vulnerability (P02) A playbook for when there is a high risk (eg Remote, unauthenticated, code execution) vulnerability, there is actual, or imminent, exploitation activity, and it is possible that the affected software/systems exist inside our environment 
Phishing email (P03) Respond to credential harvesting email campaigns.
Public facing application exploited (P04)  This playbook is for when a public facing application has been exploited by a threat actor.
Vulnerability Management Assurance (P05) Assess identified vulnerabilities and determine action in line with organisational Vulnerability Management Policy.
Risk Assessment (P06) Assess the severity of the incident, in line with Risk Management Framework principles.
Lessons Learnt (P07) It is important to capture lessons learnt after an incident has concluded, to capture learnings and feed these back into processes and control improvements.
SMS Phishing (P08) Instructions on how to respond to SMS phishing reports from users. Typically these will be targeted towards personal accounts of users, such as internet banking, toll providers or utilities.
Potential data breach (P09)  If an incident potentially involves the loss of, or unauthorised access to personal information, then it must be assessed to determine if it is an eligible data breach under the Australian Privacy Act 1988 (Cth).
Threat Intel Report Workflow (P10) Process for assessing, reviewing and actioning Cyber Threat Intelligence reports.
Investigate suspicious inbox rule (P11) Investigate potentially suspicious inbox rules created on user mailboxes.
CPS234 Cyber Security Incident Notification (P12) The Australian Prudential Regulatory Authority (APRA) regulates financial services organisations in Australia. Prudential Standard CPS 234 Section 35 dictates requirements to notify APRA in the event of a cyber security incident that meets certain criteria.
Investigate suspicious login alert (P14) Investigate various suspicious login alerts generated by identity systems and applications. The objective is to determine whether it is a false positive or benign event, or a true positive security event that requires further action.
Compromised user account (P15)  Investigate various suspicious login alerts generated by identity systems and applications. The objective is to determine whether it is a false positive or benign event, or a true positive security event that requires further action.

Installation instructions

  1. You will need to have playbook editor permission group attached to your account to install playbooks on your stack. 
  2. Download the playbooks using the link at the top of the article.
  3. Unzip the file.
  4. Log into Cydarm and go to the Playbooks tab.
  5. Click on the Upload Playbook or Action button.
  6. Go to the location where you unzipped the file, and go into the Actions directory. Select all files and click upload.


  7. Again, click on the Upload Playbook or Action button.
  8. Go to the Playbooks directory in the unzipped file contents. Select all files and click upload.

The playbooks have now been installed to your stack. 

There is also a readme.txt file within the zip file which contains these instructions. 

Adding individual playbooks

If you're trying to install the playbook library again (for example, for a newly added playbook), then you will receive errors because playbooks and actions already exist. In this case, you'll need to grab out just the playbooks and it's actions that you want and install them separately. For example, if you just wanted to install P15 Compromised user account, then you would
  • go to the Actions directory and upload all actions starting with P15. .... :
  • then go to the Playbooks directory and upload the playbook file P15 Compromised user account.yaml:

Troubleshooting

  • If a playbook or action file already exists with the same name, you will receive an error:

    This might mean that you've already uploaded some of the actions or playbooks
  • If a playbook contains actions that are not present on your system, you will receive an error:

    Check to make sure you have uploaded all action files first.

 

For more detailed technical information please refer to our Cydarm API documentation.