🛡️ GuardFoxCopilot Documentation

SOAR Playbooks

Build automated response playbooks triggered by alert conditions. 12 action types including isolate, block IP, notify, and create ticket.

Route: /soar-playbooks

How playbooks work

Overview

How SOAR Playbooks Work

A playbook is a sequence of automated actions that fires when a trigger condition is met.

Trigger types:

  • Alert severity reaches a threshold (e.g., any Critical alert)
  • Alert source matches (e.g., alerts from CrowdStrike only)
  • MITRE technique detected (e.g., T1486 - Ransomware)
  • IOC matched in watchlist

Execution:

  1. Trigger fires when a matching alert arrives
  2. Actions execute sequentially (or in parallel if configured)
  3. Each action logs its result to the playbook run history
  4. Failures do not stop subsequent actions unless configured to do so

Available action types

Block IP · Isolate Endpoint · Send Email · Send Slack · Create Ticket · Add IOC to Watchlist · Run YARA Scan · Collect Forensic Artifact · Update Alert Status · Assign Alert · Webhook (custom) · Wait / Delay

Building a playbook

How to use

Building a Playbook

  1. Go to Automation → SOAR Playbooks
  2. Click New Playbook
  3. Give it a name (e.g., "Ransomware Response")
  4. Configure the trigger:

- Severity: Critical

- Source: Any

- MITRE technique: T1486 (optional)

  1. Add actions using the + Add Action button
  2. Drag to reorder actions
  3. Toggle Enabled to activate
  4. Click Save

Example: Ransomware Response Playbook

Trigger: Severity = Critical AND technique = T1486

Actions:
1. Isolate Endpoint (endpoint from alert)
2. Add IOC to Watchlist (src IP from alert)
3. Create Ticket (priority = Critical, assign to SOC_L3)
4. Send Slack (#soc-critical)
5. Collect Forensic Artifact (type = memory_image)
6. Send Email (CISO)

Testing a playbook

Click Run Test to fire the playbook with a dummy alert payload. Check the Run History tab to confirm each action succeeded.