Managing large playbook libraries
In an ideal world, every analyst in your security operations center would always be able to investigate and respond to an investigation efficiently and effectively. In the real world, of course, that is not the case.
Most SOCs have seasoned analysts, junior analysts and everything in between. This variety of skill sets means that investigation and response to any given case can be dramatically different depending on the analyst working the case.
Thankfully, playbooks lay out consistent and repeatable processes for a given investigation type, no matter the analyst working the case.
We see everyday how teams of different sizes expand their playbooks knowledgebase with more use cases which creates a library that keeps growing over time.
Let’s hear some ideas on how to maintain an organized and flexible set of playbooks! What's working for you?
Share your thoughts below.
I would like to share our set of features for large scale customers :)
Whether you are a big enterprise with several business units or an MSSP with many customers, you will find yourself managing a large number of playbooks.
This task becomes quite challenging as time goes by and the number of playbooks grows, not to mention personnel changes. This is why we created a Playbook Lifecycle Management method, which is implemented with 3 features:
I’m here for any questions or additional info that you need to begin working with our amazing set of features :)
This post describes standards regarding Playbooks, Blocks and the directory structure we must respect in order to be able to contribute to the development of our Siemplify Platform.
The goal was to find the easiest method to understand what use the playbooks or the blocks are made for, while getting as much detail as possible by looking at its name.
The directory structure tells us at which process of development the playbook/block is.
Example of Products with their custom Abbreviations
** Please refer to the specifications regarding the maximum length limitations.