Considerations when planning your playbook.
When defining the work flow of your playbook, consider the following:
What actions do you need to take?
What conditions do you need along the way? Are these conditions manual or automatic?
Do you need to include looping?
Are there any time-sensitive aspects to the playbook?
When is the incident considered remediated?
Review the following workflow for a phishing use case. Also, review the playbooks in the Phishing content pack to see how they work.
Detection
Identification
Analysis
Remediation
Each of these high-level processes can contain a number of sub-processes that require step-by-step actions, all of which can be automated with either customized or new playbooks.
The Default Playbook provides generic capabilities for automated incident enrichment and severity calculations that you can adjust for your needs. Watch this video for more details.