Use an out-of-the-box playbook, create a new playbook, or customize an existing one based on your organization's needs.
Configure playbook settings as relevant, including:
Name and description
Tagging
Access
Whether to associate the playbook with an incident type. This needs to be set under the → → → → tab.
Whether to run the playbook in Quiet Mode
Go to Playbooks and click the playbook that you want to edit.
If it is a content pack playbook, detach or duplicate the playbook by clicking the ellipsis icon.
If you detach the playbook and want to keep any changes, ensure that you duplicate the playbook before reattaching.
Click the settings wheel icon.
Edit the following settings as relevant.
In the BASIC section, change the name and description.
Note
You cannot change the name of a detached playbook.
Add any tags as required by either typing a new tag or selecting from the list.
Tags help you search for a particular playbook, such as Malware.
Add roles for edit access to the playbook.
If you want to disable a playbook, deselect the Enabled checkbox.
If disabled, you cannot associate it with an incident or an incident type.
In the ADVANCED section, determine whether the playbook runs in quiet mode.
When Quiet Mode is selected, playbook tasks do not display inputs and outputs and do not extract indicators.
Playbook tasks are not indexed so you cannot search on the results of specific tasks. All of the information is still available in the context data, and errors and warnings are written to the War Room.
Tip
Quiet mode is recommended for scenarios that involve a lot of information that might adversely affect performance, for example, processing indicators from threat intel feeds.
In the War Room, you can run the !getInvPlaybookMetadata command to analyze the size of playbook tasks in a specific incident Work Plan to determine whether to implement quiet mode for playbooks or tasks.
Click Save all tabs.