Creating a User-Defined Playbook

Create playbooks from scratch to automate assessment and remediation actions.

This task uses the Account Configuration Risk playbook as an example to illustrate how to create user-defined playbooks.

Account Configuration Risk playbooks are created to mitigate accounts with account configuration risks, such as accounts with weak authentication, accounts that increase attack surface risk, and accounts with excessive privilege.

  1. Go to Workflow and Automation > Security Playbooks.
  2. On the Playbooks tab, choose Add > Create playbook.
  3. On the Playbook Settings panel, select the System configuration type, specify a unique name for the playbook, and click Apply.
  4. On the Trigger Settings panel, select the trigger type and click Apply.
    • Manual: Manual trigger allows you to start a playbook by clicking the Run icon ().

    • Scheduled: Scheduled trigger allows you to schedule a playbook to run daily, weekly, or monthly.

  5. On the Target Settings panel, configure the target settings and click Apply.

    The target is User Accounts by default.

    You can add more than one target by using the add node () on the right of the trigger node. The risk type for each target must be unique.


    To enable Security Playbooks to detect account configuration risks and perform response actions on at-risk accounts, grant permission to access your Azure AD data and Active Directory data in Executive Dashboard > Data sources.

  6. Configure the condition settings and/or action settings by configuring a condition node and/or an action node.
    1. Click on the right of the target node,and click Condition or Action.
    2. Configure the condition settings and/or action settings.



      Condition settings

      • The options available for condition settings depend on the preceding target node.

      • To configure multiple sets of condition settings, click +Add. The condition operator is evaluated using a logical AND.

      Action settings

      • To configure "RESPONSE" actions, you must grant Trend Micro permission to enforce the following user access policies on supported Identity and Access Management (IAM) systems:

        • Disable User Account

        • Enable User Account

        • Force Sign Out

        • Force Password Reset


        If the Disable User Account action disables the account configured in Active Directory (on-premises) Connection Settings in Third-Party Integration, you will not be able to restore the disabled accounts. Trend Micro recommends requiring manual approval for this action.

      • To configure "NOTIFICATIONS" actions, you must create a webhook connection in the Notifications app and integrate Trend Vision One for ServiceNow ticketing system in the Third-Party Integration app.

  7. Configure else-if conditions or else actions if necessary.
    1. Click below the condition node and click Else-If Condition or Else Action.
    2. Configure a condition node or an action node by following Step 6.
    • The nodes that can be added by using an add node () vary depending on the preceding node. For example, an action node can only be possibly followed by another action node; a condition node can be followed by an action node or have an else-if condition or else action attached to it.

    • When a condition is false, the playbook performs the else action or checks if its else-if condition is met. If the else-if condition is met, the playbook continues to perform the corresponding else action.

    • Multiple action nodes configured in a serial mode are taken sequentially.

  8. Enable the playbook by toggling the Enable control on.
  9. Click Save.

    The playbook appears on the Playbooks tab in the Security Playbooks app.