Built-in Playbooks
Ready-to-use playbooks included with Triage Warden.
Email Security
phishing_triage
Comprehensive phishing email analysis.
Triggers: incident_type: phishing
Steps:
- Parse email headers and body
- Check SPF/DKIM/DMARC authentication
- Look up sender reputation
- Analyze URLs against threat intel
- Check attachment hashes
- AI analysis and verdict
- Auto-quarantine if malicious (confidence > 0.8)
Usage:
tw-cli playbook run phishing_triage --incident INC-2024-001
spam_triage
Quick spam classification.
Triggers: incident_type: spam
Steps:
- Parse email
- Check spam indicators (bulk headers, suspicious patterns)
- Classify as spam/not spam
- Auto-archive low-confidence spam
bec_detection
Business Email Compromise detection.
Triggers: incident_type: bec
Steps:
- Parse email
- Check for executive impersonation
- Analyze reply-to mismatch
- Check for urgency indicators
- Verify sender against directory
- AI analysis for social engineering patterns
Endpoint Security
malware_triage
Malware alert analysis.
Triggers: incident_type: malware
Steps:
- Get host information from EDR
- Look up file hash
- Check related processes
- Query SIEM for lateral movement
- AI verdict
- Auto-isolate if critical severity + high confidence
suspicious_login
Anomalous login investigation.
Triggers: incident_type: suspicious_login
Steps:
- Get login details
- Check for impossible travel
- Query user's recent activity
- Check IP reputation
- Verify device fingerprint
- AI analysis
Customizing Built-in Playbooks
Override Variables
tw-cli playbook run phishing_triage \
--incident INC-2024-001 \
--var quarantine_threshold=0.9 \
--var auto_block=false
Fork and Modify
# Export built-in playbook
tw-cli playbook export phishing_triage > my_phishing.yaml
# Edit as needed
vim my_phishing.yaml
# Register custom version
tw-cli playbook add my_phishing.yaml
Extend with Hooks
# my_phishing.yaml
extends: phishing_triage
# Add steps after parent playbook
after_steps:
- name: Custom Logging
action: log_to_siem
parameters:
event: phishing_verdict
data: "{{ verdict }}"
# Override variables
variables:
quarantine_threshold: 0.85
Playbook Comparison
| Playbook | AI Used | Auto-Response | Typical Duration |
|---|---|---|---|
| phishing_triage | Yes | Quarantine, Block | 30-60s |
| spam_triage | No | Archive | 5-10s |
| bec_detection | Yes | Escalate | 45-90s |
| malware_triage | Yes | Isolate | 60-120s |
| suspicious_login | Yes | Lock account | 30-60s |
Monitoring Playbooks
Execution Metrics
# Playbook execution count
sum by (playbook) (playbook_executions_total)
# Average duration
avg by (playbook) (playbook_duration_seconds)
# Success rate
sum(playbook_executions_total{status="success"}) /
sum(playbook_executions_total)
Alerts
# Alert on playbook failures
- alert: PlaybookFailureRate
expr: |
sum(rate(playbook_executions_total{status="failed"}[5m])) /
sum(rate(playbook_executions_total[5m])) > 0.1
for: 5m
labels:
severity: warning
annotations:
summary: "Playbook failure rate above 10%"