LogoLogo
Get Demo
  • 💫NEXT-GENERATION PRODUCT
    • Introduction
    • Getting Started
      • 1. Invite System Users
      • 2. Add Target Users
        • Add Users via CSV
        • Add users via SCIM
          • SCIM Setup in Azure AD
          • SCIM Setup in Okta
          • SCIM Setup in Onelogin
          • SCIM Setup in Jumpcloud
        • Add users via LDAP
        • Add Users via API
      • 3. Email Deliverability
        • Microsoft 365
          • M365: Direct Email Creation
          • M365: Whitelisting
        • Google Workspace
          • Google: Direct Email Creation
          • Google: Whitelisting
        • Exchange 2013 and 2016
      • 4. Track Opened Emails
      • 5. Allow Phishing URLs
        • Whitelist for Office 365
        • Whitelist for Google Workspace
        • Whitelist for Exchange 2013/2016
        • Whitelist in Security Solutions
      • 6. Setup Phishing Reporter
        • Step 1. Download Phishing Reporter
        • Step 2. Deploy Phishing Reporter
          • How to Deploy Add-In in Microsoft 365
          • How to Deploy Add-In in Exchange Admin Center
          • How to Deploy Add-In in Google Workspace
          • How to Deploy Add-In in Outlook
            • Troubleshooting Phishing Reporter Add-In on Outlook Desktop
      • 7. Incident Responder Setup
        • Step 1. Integrate Threat Intel Partners
        • Step 2. Mail Configurations
          • Microsoft 365
          • Google Workspace (Gsuite)
          • Exchange (EWS)
    • Platform
      • Dashboard
        • Dashboard Widgets
        • Incident Responder Widgets
        • Threat Sharing Widgets
        • Phishing Simulator Widgets
      • Threat Intelligence
      • Email Threat Simulator
        • Start Scan
        • View Scan Report
        • Create Trusted Account on Exchange
        • Start Scan on O365 Email Account
        • Start Scan on Google Workspace Email Account
      • Threat Sharing
        • Communities
        • Incidents
      • Phishing Simulator
        • Manage Phishing Scenarios
          • Phishing Scenarios
          • Email Templates
          • Landing Pages
        • Phishing Campaign Manager
        • Phishing Campaign Reports
        • Settings
          • DNS Services and Domains
          • Exclude IP Address
      • Callback Simulator
        • Manage Callback Scenarios
          • Callback Scenarios
          • Callback Email Templates
          • Callback Templates
        • Callback Campaign Manager
        • Callback Campaign Reports
        • Settings
          • Callback Phone Numbers
      • Vishing Simulator
        • Vishing Templates
        • Vishing Campaign Manager
        • Vishing Campaign Reports
      • Smishing Simulator
        • Manage Smishing Scenarios
          • Smishing Scenarios
          • Text Message Templates
          • Landing Page Templates
        • Smishing Campaign Manager
        • Smishing Campaign Reports
        • Settings
          • Manage DNS and Domains
          • Exclude IP Addresses
      • Quishing Simulator
        • Manage Quishing Scenarios
          • Quishing Scenarios
          • Quishing Templates
          • Quishing Landing Page Templates
        • Quishing Campaign Manager
        • Quishing Campaign Reports
        • Settings
          • DNS and Domains
          • Excluding IP Address
      • Awareness Educator
        • Training Library
        • Enrollments
        • Certificates
        • Training Reports
        • Training Completion Queries
      • Incident Responder
        • Incident Responder Dashboard
        • Investigations
        • Integrations
        • Playbook
        • Mail Configurations
          • Microsoft 365
          • Exchange
          • Google Workspace
        • Cross Company Integration
      • Phishing Reporter
        • Phishing Reporter Customization
        • Phishing Reporter Deployment
          • How to Deploy the Add-in in Microsoft 365
          • Phishing Reporter Page View Failure Due to Deprecated Exchange Online Tokens
          • Microsoft Ribbon Phishing Reporter
          • How to Deploy the Add-in in Exchange Admin Center
          • How to Deploy the Add-in in Google Workspace
          • Phishing Reporter Announcement Email Template
        • Diagnostic Tool
        • Integrating Microsoft Phishing Reporting Button with Keepnet
        • Troubleshooting Phishing Reporter on Outlook Desktop
      • Reports
        • Advanced Reports
        • Executive Reports
        • Scheduled Reports
        • Gamification Report
      • Company
        • Target Users
        • Companies
          • Company Groups
        • Company Settings
          • Privacy
            • Account Privacy
            • Data Privacy
          • AI Ally Settings
          • SMTP Settings
          • Direct Email Creation
            • Direct Email Creation for Google Workspace
            • Direct Email Creation for Microsoft 365
          • Notification Templates
          • Google User Provisioning
          • REST API
          • White Labeling
          • Proxy Settings
          • SAML Settings
            • How to Configure SAML on ADFS
            • How to Configure SAML on Google Workspace
            • How to Configure SAML on Azure AD
            • How to Configure SAML on CyberArk
            • How to Configure SAML on Okta
          • SCIM Settings
            • Getting Started with SCIM
            • Azure AD SCIM Integration
            • Okta SCIM Integration
            • Onelogin SCIM Integration
            • Jumpcloud SCIM Integration
          • SIEM Integrations
            • Splunk Integration
            • Syslog Integration
          • LDAP
          • Allowed Domains
        • System Users
          • People
          • Roles
        • Audit Log
        • Job Log
      • Free Phishing Email Analysis Service
    • Miscellaneous
      • Whitelisting
        • How to Whitelist an IP Address in Office 365
        • How to Whitelist an IP Address in Exchange 2013 and 2016
        • How to Whitelist an IP Address in Google Workspace
        • How to Whitelist in Mimecast
        • Whitelisting in Other Security Solutions
        • Whitelisting the Pictures on Microsoft Outlook Apps
        • Keepnet Tools Whitelisting Guidelines
        • Understanding Email Delivery Errors
        • Tracking Email Opens in Phishing Simulations
      • User Profile
      • Multi-Factor Authentication (MFA) Settings
      • On-Premise Requirement Checker
      • Platform Requirements
        • Portal UI Requirements
        • Phishing Reporter Requirements
        • Diagnostic Tool Requirements
      • Maintenance Tool
      • Understanding the Preferred Language Setting
  • 📚RESOURCES
    • Platform Security
    • Volume & Performance
    • Customer Help Desk
    • Product Update/Maintenance
    • Research Methodology
    • Release Notes
      • 2025
      • 2024
      • 2023
      • 2022
      • 2021
      • 2020
  • ⚖️Legal Hub
    • For Customers
      • Customer Terms of Service
      • Product Specific Terms
      • Jurisdiction Specific Terms
      • Data Processing Agreement
      • Regional Data Hosting Policy
      • Product and Services Catalog
      • Acceptable Use Policy
      • Keepnet Security Program
      • Microsoft CoPilot Usage Policy
    • For Everyone
      • Website
        • Terms of Use
        • Privacy Policy
        • Cookie Policy
      • Free Phishing Email Analysis
        • Terms of Service
        • Privacy Policy
      • Transparency Report
Powered by GitBook

Copyright © Keepnet Labs LTD. All rights reserved.

On this page
  • Defining a Playbook Rule
  • Condition Criteria
  • Condition Types
  • Actions
  • Update Conditions or Settings of a Playbook Rule
  • Delete a Playbook Rule
  • FAQ
  • Q: Will deleting a playbook rule affect the results of previous investigations?
  • Q: Will creating a new playbook rule affect the results of previous investigations?
  • Q: If I edit an existing playbook rule, does it change the rules for current investigations?
  • Q: If I set playbook rules that are similar or contradictory, which will have priority or be valid?
  • Q: How can I edit or update the notification email templates used with the Notify action?

Was this helpful?

Export as PDF
  1. NEXT-GENERATION PRODUCT
  2. Platform
  3. Incident Responder

Playbook

The Incident Responder Playbook feature is used to create rules that automate the analysis and incident response to suspicious emails, which saves valuable time.

The Playbook rules will work only if the reported email matches the condition in the rules.

Defining a Playbook Rule

From the sidebar on the left side of the dashboard, select Incident Responder. Select Playbook and click + NEW to create a new rule with the criteria below.

Rule Name*

Name of the playbook rule

Description

More information/detailed description of the playbook rule

Priority

Priority level of the playbook rule

Tags

Tags related to the playbook rule

Active

Status of the playbook rule: active or passive

The fields marked with (*) are required.

Click Next to set the conditions for use.

Condition Criteria

The following parameters can be used to define reported emails:

From

Sender email address

To

Recipient email address

CC

Copied recipient email address

Sender IP

Sender IP address or Sender IP as a Regex pattern

Subject

Subject line of the email

Keyword

Specific words used in the email body

Attachment name

Name of the email attachment

Attachment hash

Hash (SHA512 or MD5) value of the e-mail attachment

Attachment extension

File extension of the e-mail attachment, e.g., .pdf, .docx

Condition Types

The conditions can be defined using the following parameters:

contains

Contains the specified condition criterion

does not contain

Doesn’t contain the specified condition criterion

is equal to

Specified condition criteria match exactly

is not equal to

Specified condition criterion does not match exactly

exists

Specified condition criterion exists

does not exist

Specified condition criterion does not exist

Actions

The following actions can be applied when a reported e-mail meets the criteria defined in a playbook rule:

Mark as

Mark the reported email as undetected, phishing, malicious, or simulation.

Analyze

Analyze the reported email with defined integrations.

Analyze > Investigate according to analyze results

Start an automatic investigation based on the analysis results. If the analysis results are phishing or malicious, an investigation will be started based on the configuration.

Investigate

Notify

Notify According To Analysis Result

User(s) are notified via email when the reported email's analysis result matches the selected results.

Status

Case status is updated as Closed, In progress, Open, or False positive.

Tag

Tag used for matching results in the investigations.

Update Conditions or Settings of a Playbook Rule

To change a playbook rule, select Incident Responder > Playbook page from the left sidebar menu of the dashboard. All of the existing rules will be displayed. Select the rule(s) to be updated and click on the pencil (edit) icon under the Action column to update details of a playbook rule.

Delete a Playbook Rule

To delete a playbook rule, select Incident Responder > Playbook page from the left sidebar menu of the dashboard. All of the existing rules will be displayed. Select the rule(s) to be deleted and remove them using the trash can icon.

FAQ

Q: Will deleting a playbook rule affect the results of previous investigations?

A: No. Earlier playbook results using the rule will not be affected.

Q: Will creating a new playbook rule affect the results of previous investigations?

A: No. A new playbook rule will only affect future investigations.

Q: If I edit an existing playbook rule, does it change the rules for current investigations?

A: No. There will be no changes to existing investigations. When you edit a rule, it will only affect future investigations where the rule applies.

Q: If I set playbook rules that are similar or contradictory, which will have priority or be valid?

A: The priority and criteria assigned when setting the rule govern the actions taken.

Q: How can I edit or update the notification email templates used with the Notify action?

PreviousIntegrationsNextMail Configurations

Last updated 1 year ago

Was this helpful?

Launch an investigation. Learn more about investigations .

User(s) are notified via email. The notification email template can be customized and the recipient(s) can be designated .

A: You can go to Company > Company Settings > Notification Templates to view and update the template library. You can find additional information .

💫
here
here
here