Playbook
The Incident Responder Playbook module is used to create rules that automate the analysis and incident response to suspicious emails, which saves valuable time.
The Playbook rules will work only if the reported email matches the condition in the rules.

Defining a Playbook Rule

From the sidebar on the left side of the dashboard, select Incident Responder. Select Playbook and click + NEW to create a new rule with the criteria below.
Rule Name*
Name of the playbook rule
Description
More information/detailed description of the playbook rule
Priority
Priority level of the playbook rule
Tags
Tags related to the playbook rule
Active
Status of the playbook rule: active or passive
Domain Selection
Authorized domain(s) to start investigations on
Test Connection
Perform a test of the configuration
The fields marked with (*) are required.
Click Next to set the conditions for use.

Condition Criteria

The following parameters can be used to define reported emails:
From
Sender email address
To
Recipient email address
CC
Copied recipient email address
Sender IP
Sender IP address
Subject
Subject line of the email
Keyword
Specific words used in the email body
Attachment name
Name of the email attachment
Attachment hash
Hash (SHA512 or MD5) value of the e-mail attachment
Attachment extension
File extension of the e-mail attachment, e.g., .pdf, .docx

Condition Types

The conditions can be defined using the following parameters:
contains
Contains the specified condition criterion
does not contain
Doesn’t contain the specified condition criterion
is equal to
Specified condition criteria match exactly
is not equal to
Specified condition criterion does not match exactly
exists
Specified condition criterion exists
does not exist
Specified condition criterion does not exist

Actions

The following actions can be applied when a reported e-mail meets the criteria defined in a playbook rule:
Mark as
Mark the reported email as undetected, phishing, malicious, or simulation.
Analyze
Analyze the reported email with defined integrations.
Investigate
Launch an investigation. Learn more about investigations here.
Notify
User(s) are notified via email. The notification email template can be customized and the recipient(s) can be designated here.
Status
Case status is updated as Closed, In progress, Open, or False positive.
Tag
Tag used for matching results in the investigations.

Update Conditions or Settings of a Playbook Rule

To change a playbook rule, select Incident Responder > Playbook page from the left sidebar menu of the dashboard. All of the existing rules will be displayed. Select the rule(s) to be updated and click on the pencil (edit) icon under the Action column to update details of a playbook rule.

Delete a Playbook Rule

To delete a playbook rule, select Incident Responder > Playbook page from the left sidebar menu of the dashboard. All of the existing rules will be displayed. Select the rule(s) to be deleted and remove them using the trash can icon.

FAQ

Q: Will deleting a playbook rule affect the results of previous investigations?

A: No. Earlier playbook results using the rule will not be affected.

Q: Will creating a new playbook rule affect the results of previous investigations?

A: No. A new playbook rule will only affect future investigations.

Q: If I edit an existing playbook rule, does it change the rules for current investigations?

A: No. There will be no changes to existing investigations. When you edit a rule, it will only affect future investigations where the rule applies.

Q: If I set playbook rules that are similar or contradictory, which will have priority or be valid?

A: The priority and criteria assigned when setting the rule govern the actions taken.

Q: How can I edit or update the notification email templates used with the Notify action?

A: You can go to Company > Company Settings > Notification Templates to view and update the template library. You can find additional information here.
Copy link
On this page
Defining a Playbook Rule
Condition Criteria
Condition Types
Actions
Update Conditions or Settings of a Playbook Rule
Delete a Playbook Rule
FAQ
Q: Will deleting a playbook rule affect the results of previous investigations?
Q: Will creating a new playbook rule affect the results of previous investigations?
Q: If I edit an existing playbook rule, does it change the rules for current investigations?
Q: If I set playbook rules that are similar or contradictory, which will have priority or be valid?
Q: How can I edit or update the notification email templates used with the Notify action?