Managing large playbook libraries

ShakedTal

In an ideal world, every analyst in your security operations center would always be able to investigate and respond to an investigation efficiently and effectively. In the real world, of course, that is not the case. 

Most SOCs have seasoned analysts, junior analysts and everything in between. This variety of skill sets means that investigation and response to any given case can be dramatically different depending on the analyst working the case. 

Thankfully, playbooks lay out consistent and repeatable processes for a given investigation type, no matter the analyst working the case. 

We see everyday how teams of different sizes expand their playbooks knowledgebase with more use cases which creates a library that keeps growing over time.

Let’s hear some ideas on how to maintain an organized and flexible set of playbooks! What's working for you?

Share your thoughts below.

Or Suesskind

Hi, 

I would like to share our set of features for large scale customers :)

Whether you are a big enterprise with several business units or an MSSP with many customers, you will find yourself managing a large number of playbooks. 

This task becomes quite challenging as time goes by and the number of playbooks grows, not to mention personnel changes. This is why we created a Playbook Lifecycle Management method, which is implemented with 3 features:

1. Blocks - Use as much modularity as you can while building playbooks. The Blocks allow you to create logical flows that can be nested within other playbooks. Also, when a change is required - configuring the Block will propagate the change into every other playbook using it.
2. Playbooks Dashboard - The out-of-the-box dashboards can provide an overall understanding of how well your playbooks perform across the entire security operations.
3. Monitoring Panel - Specific playbooks can be improved by monitoring their success with time based statistics on executed actions and conditions.

I’m here for any questions or additional info that you need to begin working with our amazing set of features :)

Best,

Or

Antoine

Description

This post describes standards regarding Playbooks, Blocks and the directory structure we must respect in order to be able to contribute to the development of our Siemplify Platform.

Objective

The goal was to find the easiest method to understand what use the playbooks or the blocks are made for, while getting as much detail as possible by looking at its name.

The directory structure tells us at which process of development the playbook/block is.

Playbooks

Example of Products with their custom Abbreviations

Blocks

** Please refer to the specifications regarding the maximum length limitations.

Directory Structure

Specifications