Describe the feature:
Within a case there should be a way for admins to preconfigure playbooks as a set of tasks to be completed for a type of investigation. Any analyst can then select and run a 'playbook' on a case. The playbook will add Markdown formatted comments with handling instructions as well as create multiple tasks within the case detailing what needs to be completed. If cases have actions available such as isolating a host or sending messages to Slack or Pagerduty connectors those should be available as well
Describe a specific use case for the feature:
The SOC team leads creates playbooks for different types of cases that are handled in order to standardize response actions between analysts. When the playbook is run it uses the template to creates multiple named tasks in the case, each task containing instructions for completion and can be assigned to an individual.
The playbook can use preconfigured External Connectors such as email, slack, pagerduty, or webhook to send out notifications containing information from the case
If an Elastic Endpoint agent has been associated with the case the playbook could isolate or release the host, assign it to a new policy, or take other fleet actions
The playbook could also include creation of timelines using timeline templates and data from the case and then attaching those timelines to the case.
Describe the feature: Within a case there should be a way for admins to preconfigure playbooks as a set of tasks to be completed for a type of investigation. Any analyst can then select and run a 'playbook' on a case. The playbook will add Markdown formatted comments with handling instructions as well as create multiple tasks within the case detailing what needs to be completed. If cases have
actions
available such as isolating a host or sending messages to Slack or Pagerduty connectors those should be available as wellDescribe a specific use case for the feature: The SOC team leads creates playbooks for different types of cases that are handled in order to standardize response actions between analysts. When the playbook is run it uses the template to creates multiple named tasks in the case, each task containing instructions for completion and can be assigned to an individual.
The playbook can use preconfigured External Connectors such as email, slack, pagerduty, or webhook to send out notifications containing information from the case
If an Elastic Endpoint agent has been associated with the case the playbook could isolate or release the host, assign it to a new policy, or take other fleet actions
The playbook could also include creation of timelines using timeline templates and data from the case and then attaching those timelines to the case.
Some example playbooks that we currently use: