Views:

Learn about creating user-defined playbooks to improve your company's response to possible security risks.

Create user-defined playbooks from scratch to meet the specific security needs of your company, such as assessing and mitigating account configuration risks and automatically responding to Workbench alerts. Depending on the type of playbook, user-defined playbooks can be executed manually or periodically, or provide automated responses when enabled.
User-defined playbooks consist of various node types that allow you to trigger execution, define the target of the playbook, handle conditions, and carry out actions. The following table describes the user-defined playbooks on the Playbooks tab.
Column
Description
Trigger
The way the playbook is triggered
  • Manual (Manual=97712da2-0388-4ba8-8d18-01a01df565cd.png): manually executed by clicking the icon
  • Scheduled or manual (Scheduled_Manual=09ec64f6-042d-47f2-8927-ed822821aff1.png): scheduled to execute at a set time each day, week, or month, or manually executed by clicking the Manual=97712da2-0388-4ba8-8d18-01a01df565cd.png icon
  • Automatic or manual (executed from Workbench) (Automatic_or_manual_Workbench=6de68c56-9936-42cf-bd7d-327e2f511492.png): automatically or manually triggered from Workbench when an alert is triggered on highly suspicious or suspicious objects
    Note
    Note
    This trigger setting is only applicable to Automated Response Playbooks.
  • Manual (executed from Workbench) (Manual_Workbench=e68667cb-d982-48f2-8b09-3b605a15b149.png): manually triggered from Workbench when an alert is triggered on highly suspicious or suspicious objects
    Note
    Note
    This trigger setting is only applicable to Automated Response Playbooks.
Playbook
The name of the playbook
Type
The type of the playbook
Options are as follows:
  • Account risks
  • Risk events
  • Vulnerability
  • General
  • XDR detection
Last modified
The date and time the playbook was last modified
Created by
The user that created the playbook
Scope
Asset visibility of the user who created the playbook
The playbook only applies to targets within the asset visibility of the creator's role. If the creator's user role is deleted, the playbook becomes deactivated until another user reactivates it by editing or enabling the playbook. Upon reactivation, the playbook applies to targets within the asset visibility scope of the user who reactivated it.
For more information on asset visibility scope, see What is Asset Visibility Management?
Execution count
The number of times the playbook was executed
Clicking the number takes you to the Execution Results of the playbook.
Duration
The average of the playbook execution duration
Status
The status of the playbook
Options are as follows:
  • Enabled
  • Disabled
  • Deactivated
Action
The action that could be taken on the playbook
You can currently create six types of user-defined playbooks:
Important
Important
The availability of certain user-defined playbook types depends on your license entitlement for the associated Trend Vision One features and the required data sources. For more information, see Security playbooks requirements.
Related information