Automated Response Playbooks

Automatically respond to important Workbench alerts, speeding up response and minimizing the impact scope, by creating Automated Response Playbooks.

Automated Response Playbooks (formerly Automated Response) allow you to automate your response to Workbench alerts by leveraging the Security Playbooks app.

When a detection model triggers an alert on "highly suspicious" or "suspicious" objects, the Automated Response Playbook can create response tasks and compile the results into a report sent to your security team.

The Automatic Investigation and Response system leverages Trend Micro Threat Intelligence powered by Trend Micro Smart Protection Network to re-asses highlighted objects found in Workbench alerts, such as files, URLs, IP addresses, and domains. The analysis measures the likelihood of a false positive during the reassessment. If the likelihood of a false positive is low, the object is labeled "highly suspicious". If the likelihood of a false positive is higher, the object is labeled "suspicious". The response system executes the playbook and creates response tasks on a per object basis. If there are multiple highlighted objects in a single Workbench alert, the response system and playbook may create multiple response tasks for each object that may execute simultaneously.

  1. Go to Workflow and Automation > Security Playbooks.
  2. On the Playbooks tab, click Add.
  3. Select Automated Response Playbook and click Create Playbook from Template.
  4. Configure the playbook settings and click Apply.
    Note:

    You must specify a unique name for the playbook.

  5. To customize the name of the trigger node, click the settings icon.
    Note:

    Workbench alerts is the only trigger type available for Automated Response Playbooks.

  6. Specify the Severity levels of the Workbench alerts that require further investigation by configuring the condition settings node (default name: "Workbench alert").
  7. Specify whether to take automated actions on suspicious and/or highly suspicious objects by configuring the first path selection node.
    Note:

    Selecting object types determines which paths the playbook follows. Step 8 and Step 9 are the same for both highly-suspicious and suspicious objects.

  8. Configure the manual approval settings in the first action node (default name: "Notify specified recipients for manual approval").
    1. (Optional) Specify a custom Name for the node.
    2. Select whether to send a notification to request manual approval to create response actions
      Important:

      Actions pending manual approval for over 24 hours expire and cannot be performed.

    3. If you require manual approval, configure the following settings.

      Setting

      Description

      Notification method

      • Email: Sends an email notification to specified recipients

      • Webhook: Sends a notification to specified webhook channels

      Subject prefix

      The prefix that appears at the start of the notification subject line

      Expanded response task details

      Includes more detailed information in the notification

      You can review what information the notification includes at the bottom of the screen.

      Important:

      Expanded response task details contain potentially personal or sensitive information about your environment. Ensure only people with appropriate permissions are included in the recipients list.

      Recipients

      The email addresses of recipients

      The field only appears if you select Email for Notification method.

      Webhook

      The webhook channels to receive notifications

      The field only appears if you select Webhook for Notification method.

      Tip:

      To add a webhook connection, click Create channel in the drop-down list.

  9. Configure the response actions in the next action node (default name: "Response actions").

    For more information, see Response Actions.

    Setting

    Description

    Name

    The node name

    General actions

    Response actions for all object types

    • Add object to block list: Adds object to the User-Defined Suspicious Objects List.

    Mail

    Response action for email objects

    • None: Takes no action for email messages

    • Delete emails: Deletes target emails from detected mailboxes

    • Quarantine emails: Moves target emails to the quarantine folder

    Files

    Response actions for file objects

    • Collect file: Compresses the file and sends the archive to the Response Management app

    • Submit file object to sandbox: Sends the file to the Sandbox Analysis app for analysis in a virtual sandbox environment

      Note:

      This action requires allocating credits and configuring the Sandbox Analysis app.

    Endpoint

    Response action for endpoints

    • Isolate endpoint: Disconnects the target endpoint from the network, except for communication with the managing Trend Micro server product

  10. Specify how to notify recipients of the playbook results configuring the second path selection node.
    Note:

    You can only select one path for notification of results.

  11. For email and webhook notifications, configure the action node (default name: "Notify recipients for manual approval").

    Setting

    Description

    Name

    The node name

    Notification method

    • Email: Sends an email notification to specified recipients

    • Webhook: Sends a notification to specified webhook channels

    Subject prefix

    The prefix that appears at the start of the notification subject line

    Expanded response task details

    Includes more detailed information in the notification

    You can review what information the notification includes at the bottom of the screen.

    Note:

    Expanded response task details contain potentially personal or sensitive information about your environment. Ensure only people with appropriate permissions are included in the recipients list.

    Recipients

    The email addresses of recipients

    The field only appears if you select Email for Notification method.

    Webhook

    The webhook channels to receive notifications

    The field only appears if you select Webhook for Notification method.

    Tip:

    If you need to add a webhook connection, click Create channel in the drop-down list.

  12. For ServiceNow ticket notifications, configure the two action nodes.
    1. Follow Step 8 to configure the first action node (default name: "Notify specified recipients for manual approval").
    2. Configure the next action node (default name: "Send ticket notification of results").

      Setting

      Description

      Name

      The node name

      Notification method

      The action node can only send "Ticket" notifications

      Ticket profile

      The ServiceNow ticket profile to use

      Tip:

      If you need to add a ticket profile, click Create ticket profile in the drop-down list.

      Ticket profile settings

      The ticket profile settings for the playbook

      Selecting a ticket profile automatically loads the settings. Changing the settings overrides the ticket profile for the playbook.

      • Assignment group: The ServiceNow assignment group you want to assign the ticket to

      • Assigned to: The ServiceNow user you want to assign the ticket to

      • Short description: A short description of the ticket which displays in ServiceNow

  13. Enable the playbook by toggling the Enable control on.
  14. Click Save.

    The playbook appears on the Playbooks tab in the Security Playbooks app.