Playbooks represent a way to store and manage standard procedures, including documentation of those procedures. Playbooks could be used for malware, phishing, or other processes such as unapproved software installations.
For many types of security incidents, there are standard and consistent steps that must be taken by security analysts. For example, if a user’s account is suspected to be compromised, a Suspected Account Compromise playbook may contain the following steps:
- Locking down their account.
- Contacting the suspicious user.
- Contacting the suspicious user’s supervisor.
- Investigating if that user name was associated with any suspicious activity.
An analyst would open a case, and import the Suspected Account Compromise playbook to auto-populate the above-described series of steps. The analyst could then optionally assign these to collaborators and track progress. This approach helps ensure that a consistent procedure is followed regardless of who is running the case.
You can download Playbooks designed by the LogRhythm Threat Research Team by going to the LogRhythm Community and clicking on the Shareables link on menu at the top of the page.
You can also manage playbooks through the REST API. For more information, go to https://<hostname>:8501/lr-case-api/docs#tag/playbooks.