Blog post

Canned Playbooks: Are They Realistic?

By Anton Chuvakin | March 15, 2019 | 2 Comments


One of the new ideas we had for a 2019 research paper is something clients often (well, often–ish) ask about: what to do if you encounter a particular threat or a type of an incident? A sort of a playbook for confirmation, investigation and response to a particular threat type.

Naturally, most threats in real life would be relatively mundane and – here I will make a faux pas and call “a threat actor” a threat – not of the “OMG I MET A GOTHIC PANDA IN A DARK ALLEY” variety. You know, of the non-targeted / non-APT variety. So the list of the situations is finite and easily enumerable.

Now, admittedly SOAR vendors are doing this, with modicum of success. But even their playbooks suffer from the below problem and few if any are truly usable without changes.

So, here is our conundrum:

I. Such a project is realistic [but useless] at a high level of abstraction.

II. Such a project is likely unrealistic at a low level of abstraction since most people use different tools.

Here, choice #I
  1. Receive an indication of malware
  2. Confirm indication
  3. Remove malware.
  4. <eh? this is a waste of time!>

Now, choice #II

  1. See an alert in your SIEM (brand A) that says <this>
  2. Look at the field called <that>
  3. Use this EDR tool (brand B) that can …
  4. <loses patience, realizes the futility of this and leaves>

I’ve utilized the above logic as an excuse to not try it. However, organizations that are only starting their security operations, detection and response journeys are asking for it more and more.


  • Do you think this is worth doing?
  • Do you think this is actually doable?

Vaguely related posts:

The Gartner Blog Network provides an opportunity for Gartner analysts to test ideas and move research forward. Because the content posted by Gartner analysts on this site does not undergo our standard editorial review, all comments or opinions expressed hereunder are those of the individual contributors and do not represent the views of Gartner, Inc. or its management.

Comments are closed


  • Barak says:

    Do you think this is worth doing?

    Yes. It’s worth doing even if it’s just like your two examples, very high-level steps “What are you expecting you SoC to execute once an alert was fired “.

    Do you think this is actually doable?
    High-Level Playbook – Yes, and if you are focusing on high-level steps (Manual steps) try to focus on problems/issues you are trying to solve (Notification, Escalation, Known flow, Documentation) AKA have a standard response process.

    When we talk about having a detailed Playbook it is getting more tricky (but still doable)… From my personal experience to write a detailed Playbook you MUST be a domain expert & a product/s expert, so a “Generic Detailed Playbook” is not really feasible, few bullets I would like to add:
    * Detailed response playbook cannot be agnostic to the tools and data it uses.
    ** Files, Search based on Certificate signer, signing/expiration date, file size, compiled data, created location, was/first executed, download from the web, file hash, file similarity hash, etc.
    ** Process: Process name, Initiating user, Command line, PPID, etc.
    ** User: Department, manager, role, physical location, permission, etc.
    ** Email: Sender, receiver, domain, keyword similarity, content similarity, attachment (Similarity, specific), etc.
    ** Etc.
    * Detailed Playbooks are only part of the “organization response playbook” and we should not mix them together: e.g. User education, Legal reparations, etc.
    * Detailed Playbook should be tailor to the organization needs: An easy example, if the organization does not allow to run an unapproved application (From a known list) it should be taken into consideration

    I think It’s a bit non-realistic to get a Playbook to solve all of “non-targeted / non-APT variety” attacks, we should be aware of the limitation of the playbook, and build a process around them.

    To achieve a detailed playbook, that will provide organizations with the functionality of Investigation (Triage) and Response I would encourage your clients to search for a solution that provides the detailed playbooks for Investigation (Triage) and Response as part of the product offering and not as an add-on to an existing offer, just because most of the addons I know are trying to support as many solutions as possible within a single playbook, and this by itself forces them to build a playbook based on the lowest common denominator.

    Just my two cents on the subject.