Managing large playbook libraries

Managing large playbook libraries

ShakedTalShakedTal Community Team
edited January 2020 in Chronicle Best Practices

In an ideal world, every analyst in your security operations center would always be able to investigate and respond to an investigation efficiently and effectively. In the real world, of course, that is not the case. 

Most SOCs have seasoned analysts, junior analysts and everything in between. This variety of skill sets means that investigation and response to any given case can be dramatically different depending on the analyst working the case. 

Thankfully, playbooks lay out consistent and repeatable processes for a given investigation type, no matter the analyst working the case. 

We see everyday how teams of different sizes expand their playbooks knowledgebase with more use cases which creates a library that keeps growing over time.

Let’s hear some ideas on how to maintain an organized and flexible set of playbooks! What's working for you?

Share your thoughts below.


  • AntoineAntoine Siemplify Champion


    This post describes standards regarding Playbooks, Blocks and the directory structure we must respect in order to be able to contribute to the development of our Siemplify Platform.


    The goal was to find the easiest method to understand what use the playbooks or the blocks are made for, while getting as much detail as possible by looking at its name.

    The directory structure tells us at which process of development the playbook/block is.


    Example of Products with their custom Abbreviations


    ** Please refer to the specifications regarding the maximum length limitations.

    Directory Structure


Sign In or Register to comment.