Skip to main content
Automation Playbooks

Learn all about creating and managing automation playbooks.

Updated yesterday

About

The Automation Playbooks allow you to minimize response time and reduce mundane manual labor by automating remediation tasks based on business and security conditions, by integrating your organization's desired report/ticketing system. For example, you can configure integration with a ticketing system, such as JIRA, ServiceNow, etc., and open remediation tickets automatically through the Vulcan Cyber ExposureOS Platform > Automations.

Playbook Preview

Each automation campaign (playbook) is represented by an informative card on the Automation homepage, giving you immediate access to key details.

  • Playbook Title & Description: Identify the purpose and scope of each playbook with its title and a brief description.

  • Conditions at a Glance: The first six conditions of the playbook are displayed upfront. If there are more than six, you'll see a notation like "+X conditions selected," ensuring you have a clear idea of its complexity and scope without needing to open the playbook.

  • Essential Details: The bottom of each card is reserved for crucial operational insights:

    • Playbook Title & Description: Grasp the purpose and scope of each playbook.

    • Conditions: View the first six conditions of the playbook with a clear indication if more conditions exist, offering insight into the playbook's complexity and scope.

    • Last Triggered: Know when the playbook was last activated, with a time frame in hours or days.

    • Running On: Visibility on the schedule, whether it's set for specific days or running continuously ("All Days").

    • Vulnerability Instances: Understand the scale with the number of findings (instances) currently managed by the playbook.

    • Remediation Action: Hover over the remediation method symbol to identify the type of remediation action configured for each playbook (e.g., Jira, email, Slack, edit risk, etc.), tailoring your overview to the actions that matter most to your operations.

    • Playbook Management: The top right of the Automation card includes a concise menu of options to manage your playbook.


Creating new Automation (Playbook)

All automations are based on the same principles but with different settings and modifications, depending on the selected reporting tool or Remediation Action method.

To create a new Playbook:

  1. In the Vulcn Platform, go to Automation> Create new Playbook.


    Alternatively, you can select one of the Suggested playbooks and modify them to suit your needs.

  2. For the Playbook name, give your new Playbook a unique indicative name and a description (optionally).

  3. Select the days on which you want the Playbook to run.

  4. For Playbook conditions, use the Magic Search capabilities to add the conditions that must be met on vulnerabilities and assets for the Automation to trigger. Automation will only affect vulnerabilities and assets that match these criteria.

    • Leverage parameters and operators, including AND/OR clauses and group statements. This allows for the definition of complex and targeted Playbooks tailored to specific needs.

    • View the scope of each Playbook to clearly understand which assets and vulnerabilities a playbook targets, offering greater insight and control over their cybersecurity strategies.

  5. Enable/disable the option to run the Playbook on existing vulnerabilities or only on future ones.

  6. For Remediation actions, select the method through which the ticket/vulnerability remediation alert/request should open. These actions are identical to the ones you can perform manually on a vulnerability, only that they are automatically triggered when the automation conditions are met.

    Note: The Edit Risk automation has its own purpose and process that you can read and learn about here.

    Every Remediation method has its own set of capabilities and settings to configure. Once you select a method, a dedicated setting page opens. For example, the JIRA and ServiceNow integrations have the following set of available options for ticket separation and updating tickets with subsequent discoveries:

  7. For SLA-Exceeding, you can set up another action to be triggered once a vulnerability exceeds its SLA.

  8. When you are done, click Save and Run.


Creating Automation from Suggested Playbooks

To create a new automation from a Suggested Playbook, click one of the suggested playbooks, modify it to suit your needs, and click “Save & Run”.


Modifying a Playbook

To view or edit an existing Playbook:

  1. Go to Automation

  2. Find your Playbook on the list and click on it.

  3. Edit as needed and then click Save and Run.


Managing a Playbook

The top right of the Automation card includes a concise menu of options to manage your playbook.

  • Actions: Access a detailed dashboard that tracks the actions performed in and through the playbook.
    Click here to learn more about monitoring Playbook Actions.

  • Pause: Temporarily pause playbook execution with a single click, offering flexibility in operation.

  • Activity Log: Dive into detailed logs of playbook activities and triggers for insightful analytics and review.

  • Duplicate: Easily copy playbooks for similar use cases or testing, streamlining the creation of new campaigns.

  • Delete: Securely remove a playbook from your campaign list, maintaining your dashboard's clarity and relevance.

Searching and Sort Playbooks

Use the search box to search for playbooks by name or description. You can also sort them by Name, Status, Last run, and Total vuln.


Support Limitations

  • You can trigger the Playbook on existing vulnerabilities or run it only on new ones.

  • Playbooks run after any configurational change and twice a day (scheduled).

  • Each Playbook is independent; it will trigger based on the conditions set regardless of other playbooks configured that were executed before or will run after.

Did this answer your question?