SOAR Playbooks
Build automated response playbooks triggered by alert conditions. 12 action types including isolate, block IP, notify, and create ticket.
Route:
/soar-playbooksHow playbooks work
OverviewHow SOAR Playbooks Work
A playbook is a sequence of automated actions that fires when a trigger condition is met.
Trigger types:
- Alert severity reaches a threshold (e.g., any Critical alert)
- Alert source matches (e.g., alerts from CrowdStrike only)
- MITRE technique detected (e.g., T1486 - Ransomware)
- IOC matched in watchlist
Execution:
- Trigger fires when a matching alert arrives
- Actions execute sequentially (or in parallel if configured)
- Each action logs its result to the playbook run history
- Failures do not stop subsequent actions unless configured to do so
Available action types
Block IP · Isolate Endpoint · Send Email · Send Slack · Create Ticket · Add IOC to Watchlist · Run YARA Scan · Collect Forensic Artifact · Update Alert Status · Assign Alert · Webhook (custom) · Wait / Delay
Building a playbook
How to useBuilding a Playbook
- Go to Automation → SOAR Playbooks
- Click New Playbook
- Give it a name (e.g., "Ransomware Response")
- Configure the trigger:
- Severity: Critical
- Source: Any
- MITRE technique: T1486 (optional)
- Add actions using the + Add Action button
- Drag to reorder actions
- Toggle Enabled to activate
- Click Save
Example: Ransomware Response Playbook
Trigger: Severity = Critical AND technique = T1486
Actions:
1. Isolate Endpoint (endpoint from alert)
2. Add IOC to Watchlist (src IP from alert)
3. Create Ticket (priority = Critical, assign to SOC_L3)
4. Send Slack (#soc-critical)
5. Collect Forensic Artifact (type = memory_image)
6. Send Email (CISO)Testing a playbook
Click Run Test to fire the playbook with a dummy alert payload. Check the Run History tab to confirm each action succeeded.