Creating Automated Response Playbooks

Automatically respond to important Workbench alerts, speeding up response and minimizing the impact scope, by creating Automated Response Playbooks.

Automated Response Playbooks (formerly Automated Response) allow you to automate your response to Workbench alerts by leveraging the Security Playbooks app.

When a detection model triggers an alert on "highly suspicious" or "suspicious" objects, the Automated Response Playbook can create response tasks and compile the results into a report sent to your security team.

The Automatic Investigation and Response system leverages Trend Micro Threat Intelligence powered by Trend Micro Smart Protection Network to reassess highlighted objects found in Workbench alerts, such as files, URLs, IP addresses, and domains. The analysis measures the likelihood of a false positive during the reassessment. If the likelihood of a false positive is low, the object is labeled "highly suspicious". If the likelihood of a false positive is higher, the object is labeled "suspicious". The response system executes the playbook and creates response tasks on a per-object basis. If there are multiple highlighted objects in a single Workbench alert, the response system and playbook might create individual response tasks for each object that might execute simultaneously.

Important:

You must have the XDR Threat Investigation entitlement enabled and the following required data sources configured to create Automated Response Playbooks: XDR Endpoint Sensor or XDR Email Sensor

  1. Go to Workflow and Automation > Security Playbooks.
  2. On the Playbooks tab, choose Add > Create playbook.
  3. On the Playbook Settings panel, select the XDR detection type, specify a unique name for the playbook, and click Apply.
  4. On the Trigger Settings panel, select Automatic or manual (executed from Workbench) or Manual (executed from Workbench) for the trigger type and click Apply.

    • Automatic or manual (executed from Workbench): Workbench alerts automatically trigger playbook execution. You can also manually trigger playbook execution from Workbench.

    • Manual (executed from Workbench): You need to manually trigger playbook execution from Workbench.

    For more information about how to trigger playbook execution from Workbench, see Alert View and Alerts (Incident View) in the Workbench documentation.

  5. On the Target Settings panel, select and configure the Target for the playbook and click Apply.
    1. In the Severity drop-down menu, select the severity level of Workbench alerts that require further investigation.
    2. If you want playbook actions to trigger only for Workbench alerts associated with specific detection models, select Filter by detection models.

      1. Click Select Models.

      2. Select the detection models by which to filter Workbench alerts.

        Important:

        The severity of your selected models must match the severity of the target settings, otherwise the playbook might fail to run.

        Tip:

        You can use both predefined and custom detection models to filter Workbench alerts. Click Custom Models to select custom detection models.

      3. Click Move to Selected Detection Models.

      4. Click Save.

    3. If you want to set conditions based on the risk rating of highlighted objects in the Workbench alert, select Filter by highlighted object risk.
    4. Click Apply.
  6. If you need to take actions when specific conditions are met, configure the Condition node.
    Note:

    This step is available only when you select Filter by highlighted object risk in the Target node.

    1. Click the add node () on the right of the Target node and click Condition.
    2. Create a condition setting by specifying the Parameter, Operator, and Value.

      Setting

      Description

      Parameter

      Highlighted object risk is the only parameter for this playbook.

      Operator

      • IS: The condition is triggered if any of the values is matched

      • IS NOT: The condition is triggered if none of the values is matched

      Value

      • Highly suspicious: The likelihood of a highlighted object being false positive is low

      • Suspicious: The likelihood of a highlighted object being false positive is higher

      • Unrated: Analysis result other than Highly suspicious and Suspicious
    3. Click Apply.
    4. If you need to add more than one parallel Condition node, click the add node () on the right of the Target node.
    5. If you need to configure action settings for the Condition node, add an Action node by clicking the add node () on the right.

      For details, see Step 7.

    6. If you need to configure else-if conditions or else actions, add an Else-If Condition or Else Action node by clicking the add node () under the Condition node.

      For details, see Step 9.

  7. Configure actions by adding an Action node.
    1. Click the add node () on the right of the Condition node and click Action.
    2. On the Action Settings panel, select Workbench alert and configure the automated response actions taken on the "highly suspicious", "suspicious" and/or "unrated" objects.

      For more information, see Response Actions.

      Setting

      Description

      General actions

      • Add object to block list: Adds objects to the User-Defined Suspicious Objects List

      Emails

      • None: Takes no action for email messages

      • Delete emails: Deletes target emails from detected mailboxes

      • Quarantine emails: Moves target emails to the quarantine folder

      Files

      • Collect files: Compresses the file and sends the archive to the Response Management app

      • Submit file object to sandbox: Sends the file to the Sandbox Analysis app for analysis in a virtual sandbox environment

        Note:

        This action requires allocating credits and configuring the Sandbox Analysis app.

      URLs

      • Submit URL to sandbox: Sends the URL to the Sandbox Analysis app for analysis in a virtual sandbox environment

        Note:

        This action requires allocating credits and configuring the Sandbox Analysis app.

      Endpoints

      • Isolate endpoint: Disconnects the target endpoint from the network, except for communication with the managing Trend Micro server product

      Processes
      Important:

      This is a “Pre-release” feature and is not considered an official release. Please review the Pre-release Disclaimer before using the feature.

      • Terminate processes: Terminates the "unrated" target process running on an endpoint
    3. Select whether to send a notification to request manual approval to create response actions.
      Important:

      Actions pending manual approval for over 24 hours expire and cannot be performed.

    4. If you require manual approval, configure the following settings.

      Setting

      Description

      Notification method

      • Email: Sends an email notification to specified recipients

      • Webhook: Sends a notification to specified webhook channels

      Subject prefix

      The prefix that appears at the start of the notification subject line

      Recipients

      The email addresses of recipients

      The field only appears if you select Email for Notification method.

      Webhook

      The webhook channels to receive notifications

      The field only appears if you select Webhook for Notification method.

      Tip:

      To add a webhook connection, click Create channel in the drop-down list.
    5. Click Apply.
    6. If you need to add more than one parallel action, use the add node () on the right of the Target or Condition node.
  8. Configure notification settings by adding the second Action node.
    1. Click the add node () on the right of the first Action node and click Action.
    2. On the Action Settings panel, specify how to notify recipients of the playbook results.
    3. For email and webhook notifications, configure the following settings.

      Setting

      Description

      Subject prefix

      The prefix that appears at the start of the notification subject line

      Recipients

      The email addresses of recipients

      The field only appears if you select Email for Notification method.

      Webhook

      The webhook channels to receive notifications

      The field only appears if you select Webhook for Notification method.

      Tip:

      To add a webhook connection, click Create channel in the drop-down list.
    4. For ServiceNow ticket notifications, configure the following settings.

      Setting

      Description

      Ticket profile

      The ServiceNow ticket profile to use

      Tip:

      If you need to add a ticket profile, click Create ticket profile in the drop-down list.

      Ticket profile settings

      The ticket profile settings for the playbook

      Selecting a ticket profile automatically loads the settings. Changing the settings overrides the ticket profile for the playbook.

      • Assignment group: The ServiceNow assignment group you want to assign the ticket to

      • Assigned to: The ServiceNow user you want to assign the ticket to

      • Short description: A short description of the ticket which displays in ServiceNow
    5. If you require manual approval for sending playbook results, follow Step 7.d to configure the notification settings.
      Note:

      This setting is available only to ticket notification action.

    6. Click Apply.
  9. Configure Else-If Conditions or Else Actions if necessary.
    1. Click the add node () below the condition node and click Else-If Condition or Else Action.
    2. Configure a condition node by following Step 6, or configure an action node by following Step 7 or Step 8.
    Note:

    • The nodes that can be added by using an add node () vary depending on the preceding node. For example, an Action node can only be possibly followed by another Action node; a Condition node can be followed by an Action node or have an Else-If Condition or Else Action attached to it.

    • When a condition is false, the playbook performs the Else Action or checks if its Else-If Condition is met. If the Else-If Condition is met, the playbook continues to perform the corresponding Else Action.

    • Multiple Action nodes configured in a serial mode are taken sequentially.

  10. Enable the playbook by toggling the Enable control on.
  11. Click Save.

    The playbook appears on the Playbooks tab in the Security Playbooks app.

Parent topic: User-Defined Playbooks