Create Endpoint Response playbooks

Procedure

1. Go to Workflow and Automation → Security Playbooks.
2. On the Playbooks tab, choose Add → Create playbook.
3. On the Playbook Settings panel, select the General type, specify a unique name for the playbook, and click Apply.
4. On the Trigger Settings panel, select the trigger type and click Apply.
   • Manual: Allows you to start the playbook execution by clicking the Run icon ()
   • Scheduled: Allows you to schedule the playbook to run daily, weekly, or monthly
5. On the Target Settings panel, select and configure the Target for the playbook and click Apply.
   1. Select whether you want to execute the playbook on endpoints by Endpoint name or IP address.
   2. Specify the endpoint names or IP addresses/IP ranges of the target endpoints.
      • To execute the playbook on endpoints by Endpoint name, specify the endpoint names in the Endpoint name text box or upload a CSV file containing up to 256 endpoint names.
      • To execute the playbook on endpoints by IP address, specify the IP address or IP range in the IP address text box or upload a CSV file containing up to 256 IP addresses or IP ranges.
        A maximum of 10 IP ranges can be used. Examples of the IP range are as follows:
        • 10.1.0.*
        • 192.168.1.0/24
        • 192.168.1.10–192.168.1.20
        In CIDR notation, the prefix length should range from 16 to 32. When using the Start IP–End IP format, the first two octets (representing the network portion) must be identical for all IP addresses within the range.
   3. Specify the Operating system and Endpoint type.
6. If you need to take actions when specific conditions are met, configure the Condition node.
   1. Click the add node () on the right of the Target node and click Condition.
   2. Create a condition setting by specifying the Parameter, Operator, and Value.

      Setting	Description
      Parameter	Specify IP address, Endpoint name, Operating system, or Endpoint type as the parameter.
      Operator	IS: The condition is triggered if any of the values is matched IS NOT: The condition is triggered if none of the values is matched
      Value	Specify the parameter value.

   3. If you need to configure multiple sets of condition settings, click Add.
      The condition operator is evaluated using a logical AND.
   4. Click Apply.
   5. If you need to add more than one parallel Condition node, click the add node () on the right of the Target node.
   6. If you need to configure action settings for the Condition node, add an Action node by clicking the add node () on the right.
      For details, see Step 7.
   7. If you need to configure else-if conditions or else actions, add an Else-If Condition or Else Action node by clicking the add node () under the Condition node.
      For details, see Step 9.
7. Configure actions by adding an Action node.
   1. Click the add node () on the right of the Condition node and click Action.
   2. On the Action Settings panel, configure the response actions taken on the specified endpoints.

      Setting

      Description

      Endpoint actions

      Isolate Endpoint: Disconnects the target endpoint from the network, except for communication with the managing Trend Micro server product Scan for Malware: Scans one or more managed endpoints for file-based threats such as viruses, spyware, and grayware Important This action only runs on endpoints that have the Trend Vision One Endpoint Security agent with Standard Endpoint Protection installed. To successfully run the Scan for Malware action, the endpoint must meet the following requirements: Operating system: Windows or macOS only Minimum agent version installed: 14.0.12962 for Windows and 3.5.7812 for macOS Endpoint status: The endpoint must be a managed endpoint not on the exclusion list, and must not have an active scan task in progress. Run Remote Custom Script: Connects to a monitored endpoint and executes a previously uploaded PowerShell or Bash script file To run a custom script, complete the following steps: Select a script file type from the File type drop-down list. Upload a script file from your local by clicking Upload File. Then select your script file from the File drop-down list. For the Bash Script (.sh) file type, specify the operating system before uploading your script file. Type the parameters if your script requires an additional input.

   3. Select whether to send a notification to request manual approval to create response actions.

      Important Actions pending manual approval for over 24 hours expire and cannot be performed.

   4. If you require manual approval, configure the following settings.

      Setting	Description
      Notification method	Email: Sends an email notification to specified recipients Webhook: Sends a notification to specified webhook channels
      Subject prefix	The prefix that appears at the start of the notification subject line
      Recipients	The email addresses of recipients The field only appears if you select Email for Notification method.
      Webhook	The webhook channels to receive notifications The field only appears if you select Webhook for Notification method. Tip To add a webhook connection, click Create channel in the drop-down list.

   5. Click Apply.
   6. If you need to add more than one parallel action, use the add node () on the right of the Target or Condition node.
8. Configure notification settings by adding the second Action node.
   1. Click the add node () on the right of the first Action node and click Action.
   2. On the Action Settings panel, specify how to notify recipients of the playbook results.
   3. For email and webhook notifications, configure the following settings.

      Setting	Description
      Subject prefix	The prefix that appears at the start of the notification subject line
      Recipients	The email addresses of recipients The field only appears if you select Email for Notification method.
      Webhook	The webhook channels to receive notifications The field only appears if you select Webhook for Notification method. Tip To add a webhook connection, click Create channel in the drop-down list.

   4. For ServiceNow ticket notifications, configure the following settings.

      Setting	Description
      Ticket profile	The ServiceNow ticket profile to use Tip If you need to add a ticket profile, click Create ticket profile in the drop-down list.
      Ticket profile settings	The ticket profile settings for the playbook Selecting a ticket profile automatically loads the settings. Changing the settings overrides the ticket profile for the playbook. Assignment group: The ServiceNow assignment group you want to assign the ticket to Assigned to: The ServiceNow user you want to assign the ticket to Short description: A short description of the ticket which displays in ServiceNow

   5. If you require manual approval for sending playbook results, follow Step 4 to configure the notification settings.

      Note This setting is available only to ticket notification action.

   6. Click Apply.
9. Configure Else-If Conditions or Else Actions if necessary.
   1. Click the add node () below the Condition node and click Else-If Condition or Else Action.
   2. Configure a condition node by following Step 6, or configure an action node by following Step 7 or Step 8.

   Note The nodes that can be added by using an add node () vary depending on the preceding node. For example, an Action node can only be possibly followed by another Action node; a Condition node can be followed by an Action node or have an Else-If Condition or Else Action attached to it. When a condition is false, the playbook performs the Else Action or checks if its Else-If Condition is met. If the Else-If Condition is met, the playbook continues to perform the corresponding Else Action. Multiple Action nodes configured in a serial mode are taken sequentially.

10. Enable the playbook by toggling the Enable control on.
11. Click Save.
    The playbook appears on the Playbooks tab in the Security Playbooks app.