![white-logo.png]](https://www.livingsecurity.com/hs-fs/hubfs/white-logo.png?height=40&name=white-logo.png){kind=logo}
Incident Responder: Playbooks
The Incident Responder Playbook feature is used to create rules that automate the analysis and incident response to suspicious emails, which saves valuable time.
- Defining a Playbook Rule
- Condition Criteria
- Condition Types
- Actions
- Update Conditions or Settings of a Playbook Rule
- Delete a Playbook Rule
- FAQ
|
Rule Name
|
Name of the playbook rule (Required)
|
|
Description
|
More information/detailed description of the playbook rule
|
|
Priority
|
The priority level of the playbook rule
|
|
Tags
|
Tags related to the playbook rule
|
|
Active
|
Status of the playbook rule: active or passive
|
Click Next to set the conditions for use.
|
From
|
Sender email address
|
|
To
|
Recipient email address
|
|
CC
|
Copied recipient email address
|
|
Sender IP
|
Sender IP address or Sender IP as a Regex pattern
|
|
Subject
|
Subject line of the email
|
|
Keyword
|
Specific words used in the email body
|
|
Attachment name
|
Name of the email attachment
|
|
Attachment hash
|
Hash (SHA512 or MD5) value of the e-mail attachment
|
|
Attachment extension
|
File extension of the e-mail attachment, e.g., .pdf, .docx
|
|
contains
|
Contains the specified condition criterion
|
|
does not contain
|
Doesn’t contain the specified condition criterion
|
|
is equal to
|
Specified condition criteria match exactly
|
|
is not equal to
|
Specified condition criterion does not match exactly
|
|
exists
|
Specified condition criterion exists
|
|
does not exist
|
Specified condition criterion does not exist
|
|
Mark as
|
Mark the reported email as undetected, phishing, malicious, or simulation.
|
|
Analyze
|
Analyze the reported email with defined integrations.
|
|
Analyze > Investigate according to analyze results
|
Start an automatic investigation based on the analysis results. If the analysis results are phishing or malicious, an investigation will be started based on the configuration.
|
|
Investigate
|
Launch an investigation. Learn more about investigations here.
|
|
Notify
|
User(s) are notified via email. The notification email template can be customized and the recipient(s) can be designated in Company > Company Settings > Notification Templates.
|
|
Notify According To Analysis Result
|
User(s) are notified via email when the reported email's analysis result matches the selected results.
|
|
Status
|
Case status is updated as Closed, In progress, Open, or False positive.
|
|
Tag
|
Tag used for matching results in the investigations.
|
Frequently Asked Questions
Q. Will deleting a playbook rule affect the results of previous investigations?
A. No. Earlier playbook results using the rule will not be affected.
Q. Will creating a new playbook rule affect the results of previous investigations?
A. No. A new playbook rule will only affect future investigations.
Q. If I edit an existing playbook rule, does it change the rules for current investigations?
A. No. There will be no changes to existing investigations. When you edit a rule, it will only affect future investigations where the rule applies.
Q. If I set playbook rules that are similar or contradictory, which will have priority or be valid?
A. The priority and criteria assigned when setting the rule govern the actions taken.
Q. How can I edit or update the notification email templates used with the Notify action?
A. You can go to Company > Company Settings > Notification Templates to view and update the template library.
