Executing a Playbook on an Incident
To execute a Playbook on an incident, take the following steps.
- From the INCIDENTS page, select an incident.
Note: You must be on the List by Time, List by Device, or List by Incident View. - Select Execute Playbook from the Actions menu.
- From the Execute Playbook window, take the following steps.
- From the Folders column, expand any Playbook folder to view its content.
- From the Items column, select the Playbook you wish to execute and click >. The Playbook will appear in the Selections column. You may also search for Playbooks by using the Items Search... field.
If you wish to remove a Playbook from the Selections column, select the Playbook you wish to remove and click <. - When ready to execute your Playbook, click Execute. The Playbook Execution Result window appears, in the Result tab. This window provides a summary of result. Clicking Details will display additional information. Click on View Output to view any information related on a specific Playbook topic (Summary, Details, a specific attribute if applicable).
- Click on the Actions tab to perform any of the following actions.
Note: All actions are optional.- In the Update Comment field, enter any comments related to the Incident.
- Click on Add Summary to add the Summary and Details from the Result tab into the Update Comment field.
- To save the information added to the Update Comment field, click Save.
- For Resolve Incident, select the one of the following resolutions: Open, True Positive, False Positive, or In Progress. When done, click Apply.
- Click on Create Rule Exception create icon to create a rule exception.
- Click on the Remediate Incident create icon to run a remediation on the incident.
- Click on Set Incident Severity drop-down list and select a severity level.
- Click on the Run External Integration create icon to run an external integration.
- When done, click Close.
Under Details, the Action History column provides a log of all the actions taken, including comments from the Update Comment field.