Playbook

Playbooks are used to automatically trigger actions on reported emails. The actions described in the Actions section must be defined within the Playbook to ensure they are executed automatically.

Playbook can be created by clicking the button highlighted in the visual. Playbooks that have been created but are not yet active are displayed under the Library tab, while active Playbooks are shown under the Live tab.

Create a Playbook

When creating a Playbook, it can be set up based on two different conditions:

    1. Search and Match: The Playbook is triggered according to the added criteria.
    2. IoC Results: The Playbook operates based on the results of IoC scans.

In both cases, the Contain and Equals structures can be used. Unlike actions, you can define criteria as Contain and Not Contain, or Equal and Not Equal.

Create with Search and Match

The Playbook rules use the AND / OR structure. This should be taken into account when creating rules. For Matched Criteria defined with the and operator, all specified criteria must match the reported email for the rule to be considered a match.

For a criterion created using the AND clause, all specified values must contain the corresponding elements in the reported email. In other words, both conditions must be met the reported email must contain a gmail.com domain in the CC field and a yahoo.com domain in the TO field for the rule to be considered a match.

For the OR clause, it is sufficient for just one of these criteria to match in the Playbook. If either the CC field contains the gmail.com domain or the TO field contains the yahoo.com domain, the rule will be considered a match.

Match Criteria section is where the Playbook is created to work on the reported email. To do this, the first step is to select the Mail Part. For all Mail Part options, the conditions Equals, Not Equals, Contains, and Not Contains can be selected. Finally, after adding the Value, the creation process is completed.

Mail Part consists of 11 different options.

  1. From: This criterion is based on the email sender. It can be used with either the domain or the sender’s full email address (e.g., @domain.com or test@domain.com).
  2. To: This option checks the matching condition for the email’s recipient. The email address entered as the value will be evaluated for both Not Contain and Not Equal conditions to see if it matches the reported email.
  3. CC: The check is performed based on the CC recipients of the email. Just like with the TO field, the CC field can work with conditions such as Equal or Not Equal to determine matching criteria.
  4. Sender IP: The verification is conducted using the Sender IP found in the email body. For example, an IP address within the body could be:
    Received: from mta-174-81-113.test.net.testmail.com (192.1.1.111) In this case, the IP address 192.1.1.111 is used for verification.
  5. Subject: The action is triggered based on the Subject information of the email.
  6. Body: The action is triggered based on the Body information of the email.
  7. ATT_NAME (Attachment Name): This action triggered with based on the Name of the Attachment found in the email.
  8. ATT_HASH (Attachment Hash): This action triggered with based on the Hash of the Attachment found in the email.
  9. ATT_EXT (Attachment Extension): This action triggered action is taken based on the Filename Extension of the Attachment found in the email. (e.g., .pdf, .docx)
  10. Tag: This action ensures that actions are taken based on the TAG associated with the email. For example, if an IOC source finds a link to be malicious, the source adds itself as a TAG to the email. This way, actions can be taken based on malicious links.
  11. Reporter: This action triggered with based on the person who Reported the email.
  12. Reperter_IP: This action triggered with based on the IP Adress who reported the email.

 

After the necessary search criteria are created, you can run the playbook along with the pre-prepared manual actions.