Skip to content
English
Sign in
Contact us
  • There are no suggestions because the search field is empty.

Introduction to playbooks

A general overview of how to use, edit and create playbooks in Cydarm.

Related videos

The following videos provide an overview of playbooks

Using playbooks 

Editing and creating playbooks 

Under the hood of playbooks 

What is a playbook?

Playbooks serve as checklists so that incident response can be performed consistently. They are a group of playbook actions, each action providing instructions, and can be ticked off when completed.

Playbooks can help guide team members through unfamiliar or less practiced areas, to contribute more effectively as they have their incident response tasks already laid out in front of them. 

The Cydarm platform can be configured with some generalized playbooks provided by Cydarm. You can duplicate these, modify them, or create your own. 

What is a playbook action?

A playbook action is one of the steps in a given playbook. For example a phishing playbook will be made up of several actions, such as obtaining and analysing the email metadata, or deleting like emails from the email server. Playbook actions can be marked as completed once they have been done.

Creating and modifying playbooks


From the Playbooks tab, you can create a new playbook, or open an existing playbook.

The playbook name and description can be edited.

Additional actions can be added, and existing actions can be edited, deleted or re-ordered.

If you add a tag to a playbook, whenever this tag is added to a case, that playbook will be automatically added to the case

When editing playbook or playbook action descriptions, markdown is used. You can find out more about the supported Markdown features here: Markdown Syntax

Automating playbooks addition to a case using tags

If a tag is added to a playbook via the playbook editor, then whenever this tag is added to a case, that playbook will be automatically added to the case. This can be great for streamlining workflows in cases where you will always want to use a particular playbook.

For example:

  • In a vulnerability management workflow, use a tag to classify vulnerability advisories (such as vulnerability) and when this tag is added, automatically add the Vulnerability Assessment playbook
  • In a detection engineering program, associate tags with detection rules, and use these to automatically add the corresponding playbook 

See also: Configuring automatic tagging to assign tags to cases based on regular expression matches of the Case Description. 

How to add or delete a playbook from a case

  1. On the Case View page you are working on, click on the playbook tab located in the menu above the case thread. This tab will open up details of any playbooks that are attached to a given case. If there are multiple playbooks attached they are listed one after the other. 

  2. To add an existing playbook to the case, click on +Add and select a playbook

  3. Select the playbook to add and click Add Playbook.

❗️Note that you can add multiple playbooks to a case, or the same playbook twice. 

How to add an individual playbook action to a case?

  1. To add an existing action to the case, click on +Add and select Action. 
  2. Select the action from the list.

❗️Once you have applied playbook actions they will appear in the comment thread on the Case View page.

How to update the status on playbook actions?

  1. To indicate that you have completed an action, select the action and change the Step Status value from ready to success
  2. To view the progress of the playbook action, refer to the sidebar where you will see the proportion of the actions that have been completed or are marked as not required. The number represented in the playbook progress bar is (the number of completed actions) / (number of actions in the playbook).

Assigning playbook actions

You can assign playbook actions to users from the Playbooks tab. You can also assign tags to the playbook action. Note that tags assigned to playbook actions are not assigned to the case. 

Controlling access to playbooks

Playbooks in Cydarm can be access controlled via ACLs. This can allow you to control who has access to view playbooks. One use case for controlling access to playbooks is to make certain playbooks only available to certain organisations. 

The ACL can be either set when:

1. The playbook is initially created:

2. When editing the playbook:

To create playbooks which are accessible to all, use the the ACL case defaults.

To restrict access to a playbook to a particular organisation, use the ACL < organisation name > case defaults.

If you are creating playbooks for specific organisations, it is recommended that the target organisation name is embedded in the playbook name, for clarity and to avoid having two playbooks named the same. For example, EPI2 Password Spraying and ACME Password Spraying for two different Password Spraying playbooks. 

If you would like to make the playbook accessible to multiple organisations, or specific sub-groups, a new ACL will need to be created and then assigned to the playbook. For more information about ACLs, refer to the article Attribute Based Access Control (ABAC)


For more detailed technical information please refer to our Cydarm API documentation.