Manually create Workbench Insight Progression Update playbooks

Views:

Automatically notify stakeholders of Workbench insight progression by opening or updating cases, sending email notifications with AI-generated summaries, and collecting forensic evidence from impacted endpoints.

The Workbench Insight Progression Update playbook helps security teams streamline communication and accelerate response by automatically notifying stakeholders when Workbench insights are generated or updated. This playbook can open or update a case for the insight and send email notifications of insight information to specified recipients. Notifications and case updates can include a Generative AI-generated summary of the insight, providing clear and contextual information to support informed decision-making. You can configure the playbook to target specific insights based on score, attack phase, alert severity, or case status.

You must have Agentic SIEM & XDR entitlement enabled and the following required data sources configured to create Automated Response Playbooks: XDR Endpoint Sensor or XDR Email Sensor.

Procedure

Go to Workflow and Automation → Security Playbooks.
On the Playbooks tab, choose Add → Build manually.
On the Playbook Settings panel, select the XDR detection type, specify a unique name for the playbook, and click Apply.
On the Trigger Settings panel, select Automatic or manual (executed from Workbench) or Manual (executed from Workbench) for the trigger type and click Apply.
- Automatic or manual (executed from Workbench): Workbench insights automatically trigger playbook execution. Each time an insight is generated or updated, the playbook is triggered. You can also manually trigger playbook execution from Workbench.
  
  Select Execute playbook automatically only during specified period and specify the days and time periods for automatic execution. You can specify a maximum of 10 sets of days and time periods in Trigger Settings.
- Manual (executed from Workbench): You need to manually trigger playbook execution from Workbench.
On the Target Settings panel, select and configure the Target for the playbook and click Apply.
1. In the Target drop-down list, select Workbench insight.
2. In the Alert severity within insight drop-down menu, select the severity level of alerts in the Workbench insights that need progression notification.
3. If you want playbook actions to trigger only for Workbench insights within specific score range, select Filter insights by score, and select a range from the drop-down list or configure a custom range.
4. If you want playbook actions to trigger only for Workbench insights associated with specific attack phase, select Filter insights by attach phase, and select attach phases from the drop-down list.

Click the add node () on the right of the Target node and click Condition.

Create a condition setting by specifying the Parameter, Operator, and Value.

Setting	Description
Parameter	Specify one of the following options as the parameter: Case Insight score Attack phase Alert severity within insight
Operator	IS: The condition is triggered if any of the values is matched IS NOT: The condition is triggered if none of the values is matched
Value	Specify the parameter value.

Click Apply.
If you need to add more than one parallel Condition node, click the add node () on the right of the Target node.
If you need to configure action settings for the Condition node, add an Action node by clicking the add node () on the right.

For details, see Step 7.
If you need to configure else-if conditions or else actions, add an Else-If Condition or Else Action node by clicking the add node () under the Condition node.

For details, see Step 10.

Configure actions by adding an Action node.

Click the add node () on the right of the Condition node and click Action.

On the Action Settings panel, configure the case-related actions taken on the targeted Workbench insights.

Action	Settings
Open new case	To include a Generative AI-generated summary of the insight in the new case, click Turn on Generative AI and select Workbench insight summary. To import relevant contents from other cases, select Import case contents from cases with correlated alerts. To assign a priority level to the case, select Assign case priority and select the priority level. To designate case owners from TrendAI Vision One™, select Assign TrendAI Vision One™ case owners and select owners from the Owners drop-down list. If a case already exists for the targeted Workbench insights, the new case settings overwrite the existing case.
Update existing case	Select the new status for the case from the available options. To do In progress Closed Choose the relevant findings related to the case. True positive Benign true positive False positive Noteworthy Other findings If you have additional information or notes, type them into the Comment text box.

Click Apply.
If you need to add more than one parallel action, click on the right of the Target or Condition node.

Configure notification settings by adding an Action node.

Click the add node () on the right of the preceding node and click Action.

On the Action Settings panel, specify how to notify recipients of insight information.

Action	Settings
Send email notification of insight information	Specify the prefix that appears at the start of the notification subject line. To include a Generative AI-generated summary of the insight in the email notification, click Turn on Generative AI and select Workbench insight summary. To include the expanded Workbench insight details with attachments, select Attachments of alert list, Attachments of impact scope, and Attachments of highlighted objects. Specify the email addresses of recipients.

Action

Settings

Send email notification of insight information

Specify the prefix that appears at the start of the notification subject line.
To include a Generative AI-generated summary of the insight in the email notification, click Turn on Generative AI and select Workbench insight summary.
To include the expanded Workbench insight details with attachments, select Attachments of alert list, Attachments of impact scope, and Attachments of highlighted objects.
Specify the email addresses of recipients.

Click Apply.

Configure actions by adding an Action node.

Click the add node () on the right of the Condition node and click Action.

On the Action Settings panel, under Endpoint actions, select Collect evidence.

The playbook automatically uses the endpoints from the Workbench insight's impact scope as the collection targets. You do not need to specify endpoints manually.

Collects forensic evidence from the target endpoints and uploads it to the Forensics app for investigation.

Important

To use this action, the Forensics Evidence Collection feature must be enabled and credits must be allocated. If the option is unavailable, go to the Forensics app and enable Evidence Collection.
Target endpoints must have TrendAI Vision One™ XDR for Endpoint (XDR Endpoint Sensor) installed.

In Evidence type, select the types of evidence to collect.
Select one or more evidence types to collect. Basic information is required and selected by default. The available options depend on the endpoint operating system.

Windows
- Basic information
- Account information
- Network information
- Process information
- Service information
- System execution information
- User activity
- Event log
- File timeline
- Registry
Linux
- Basic information
- Process information
- Network information
- Service information
- Account information
- User activity
- File timeline
- Log
For details about each evidence type, see Windows evidence types or Linux evidence types.
(Optional) Select Require manual approval for actions if you want to review and approve the action before it runs on each endpoint.

When selected, the action requires manual approval before executing on each target endpoint. To approve or reject pending actions, go to the action's execution results and select Approve all pending or Reject all pending.
Click Apply.

When the playbook runs, the Collect evidence action collects forensic evidence from the endpoints in the Workbench insight's impact scope. The collected evidence is uploaded to the Forensics app automatically.

To review the results, open the playbook's execution results. The overall status shows Successful, Partially approved, or Unsuccessful. Select Check details to view the per-endpoint action status, and select View collection details in Forensics to open the collected evidence in the Forensics app.

Each playbook execution automatically creates a Forensics workspace named Security Playbooks - execution-id. For insight-triggered runs, the workspace description also references the originating Workbench insight.

Configure Else-If Conditions or Else Actions if necessary.
1. Click below the Condition node and click Else-If Condition or Else Action.
2. Configure a condition node by following Step 6, or configure an action node by following Step 7, Step 8, or Step 9.
- Which nodes you can add varies depending on the preceding node. For example, an Action node can only be possibly followed by another Action node; a Condition node can be followed by an Action node or have an Else-If Condition or Else Action attached to it.
- When a condition is false, the playbook performs the Else Action or checks if its Else-If Condition is met. If the Else-If Condition is met, the playbook continues to perform the corresponding Else Action.
- Multiple Action nodes configured in a serial mode are taken sequentially.
Enable the playbook by toggling the Enable control on.
Click Save.

The playbook appears on the Playbooks tab in the Security Playbooks app.