This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
Log in to ask a question
Announcements
Check out the new Professional Security Operations Engineer certification beta!
Log in to ask a question

Managing large playbook libraries

on ‎01-08-2020 11:18 AM

shakedtal
Staff
10 2 623

In an ideal world, every analyst in your security operations center would always be able to investigate and respond to an investigation efficiently and effectively. In the real world, of course, that is not the case. 

Most SOCs have seasoned analysts, junior analysts and everything in between. This variety of skill sets means that investigation and response to any given case can be dramatically different depending on the analyst working the case. 

Thankfully, playbooks lay out consistent and repeatable processes for a given investigation type, no matter the analyst working the case. 

We see everyday how teams of different sizes expand their playbooks knowledgebase with more use cases which creates a library that keeps growing over time.

Let’s hear some ideas on how to maintain an organized and flexible set of playbooks! What's working for you?

Share your thoughts below.

Comments
Not applicable
‎03-31-2020 03:10 AM

Hi, 

I would like to share our set of features for large scale customers 🙂

Whether you are a big enterprise with several business units or an MSSP with many customers, you will find yourself managing a large number of playbooks. 

This task becomes quite challenging as time goes by and the number of playbooks grows, not to mention personnel changes. This is why we created a Playbook Lifecycle Management method, which is implemented with 3 features:

  1. Blocks - Use as much modularity as you can while building playbooks. The Blocks allow you to create logical flows that can be nested within other playbooks. Also, when a change is required - configuring the Block will propagate the change into every other playbook using it.
  2. Playbooks Dashboard - The out-of-the-box dashboards can provide an overall understanding of how well your playbooks perform across the entire security operations.
  3. Monitoring Panel - Specific playbooks can be improved by monitoring their success with time based statistics on executed actions and conditions.

I’m here for any questions or additional info that you need to begin working with our amazing set of features 🙂

Best,

Or



Antoine4
New Member
‎06-01-2020 06:32 AM

Description

This post describes standards regarding Playbooks, Blocks and the directory structure we must respect in order to be able to contribute to the development of our Siemplify Platform.

Objective

The goal was to find the easiest method to understand what use the playbooks or the blocks are made for, while getting as much detail as possible by looking at its name.

The directory structure tells us at which process of development the playbook/block is.

Playbooks

playbook-naming-convention.png
Example of Products with their custom Abbreviations

product-abbreviation.png
Blocks

block-naming-convention.png
** Please refer to the specifications regarding the maximum length limitations.

Directory Structure

directory-structure.png
Specifications

specifications-1.png
specifications-2.png

Version history
Last update:
‎01-08-2020 11:18 AM
Updated by: