Configure the response with the Playbook
Overview
A playbook in the context of Sharelock Identity Security Platform is a predefined set of procedures or strategies designed to respond to various types of cybersecurity threats. The platform employs a playbook-based model, which enables precise calibration of responses to threats, with the goal of minimizing the impact on the organization while ensuring its security.
Create new Playbook
Select the "Settings" option from the main menu, located at the top right corner.
Click on the "Playbook" card in the configuration group named "Behavioral Engine Management."
To add a new Playbook, click the "New Playbook +" button. In the the Playbook details , fill the mandatory fields:
- Name: the name of the Playbook to create.
- Attack: click on the field and select one of the possible attacks from the MITRE catalog to identify the attack category to remediate.
- Destination: enable the checkbox if you want to send a notification to an external system.
Now proceed to add one or more Items, each designed to address one or more severity levels with a corresponding action. To accomplish this:
Click on the "Action Required" entry located at the top left corner, and choose one of the available options when the corresponding severity stages are reached:
- Informative item: it is a general purpose description associated with the alert.
- Email notification: Send an email notification to the recipients of the alert. You need to choose a pre-made template for the message. It requires having a Mail Server set up.
- Rest API: execute a Rest route call. It requires having an external service setup to provide for the action.
- Slack Notification: send a Slack notification. You need to choose a pre-made template for the message. It requires having a Slack Server set up.
- Jira Ticket: create and send a Jira ticket. You need to choose a pre-made template for the message. It requires having a Jira Server set up.
- Lock Account: invoke the lock account service through a web hook endpoint. It requires having an external service setup to provide for the action.
- Lock User: invoke the lock user service through a web hook endpoint. It requires having an external service setup to provide for the action.
Please select one or more stages (in any combination) to associate with the chosen action. This action will be triggered when all the designated stages are reached.
To define a stage, click on the "+ Add Stage" icon (current number of stages/total number of stages). Drag an IoB from the right column to the corresponding assignment area, named “Drop Indicators here”. Then, the IoB will appear assigned to the Threat stage.
Repeat the operation for any desired number of IoBs. Each associated IoB has a threshold relative to the sensitivity for which the anomaly will be notified once the set limit is exceeded.
To set the notification only for the most critical cases, select the "Critical Only" toggle.
The stages of a Threat are freely selectable and can be arranged in any combination. The only requirement is to adhere to their progressive severity.
You can exclude a stage from the Threat chain by clicking the "Skip Stage" option at the top right corner. In this case, the skipped stage will not contribute to the generation of the corresponding Threat.
To complete the creation of a Threat, it is necessary to establish one or more stages (up to a maximum of 6 in total) and press the "Save" button at the bottom of the view.