Executing a Playbook on an Incident

To execute a Playbook on an incident, take the following steps.

  1. From the INCIDENTS page, select an incident.

    Note: You must be on the List by Time, List by Device, or List by Incident View.

  2. Select Execute Playbook from the Actions menu.

  3. From the Execute Playbook window, take the following steps.

    1. From the Folders column, expand any Playbook folder to view its content.

    2. From the Items column, select the Playbook you wish to execute and click >. The Playbook will appear in the Selections column. You may also search for Playbooks by using the Items Search... field.

      If you wish to remove a Playbook from the Selections column, select the Playbook you wish to remove and click <.

    3. When ready to execute your Playbook, click Execute. The Playbook Execution Result window appears, in the Result tab. This window provides a summary of result. Clicking Details will display additional information. Click on View Output to view any information related on a specific Playbook topic (Summary, Details, a specific attribute if applicable).

    4. Click on the Actions tab to perform any of the following actions.

      Note: All actions are optional.

      1. In the Update Comment field, enter any comments related to the Incident.

      2. Click on Add Summary to add the Summary and Details from the Result tab into the Update Comment field.

      3. To save the information added to the Update Comment field, click Save.

      4. For Resolve Incident, select the one of the following resolutions: Open, True Positive, False Positive, or In Progress. When done, click Apply.

      5. Click on Create Rule Exception create icon to create a rule exception.

      6. Click on the Remediate Incident create icon to run a remediation on the incident.

      7. Click on Set Incident Severity drop-down list and select a severity level.

      8. Click on the Run External Integration create icon to run an external integration.

    5. When done, click Close.

    Under Details, the Action History column provides a log of all the actions taken, including comments from the Update Comment field.