Views:

Automatically notify stakeholders of Workbench insight progression by opening or updating cases and sending email notifications with AI-generated summaries.

The Workbench Insight Progression Update playbook helps security teams streamline communication and accelerate response by automatically notifying stakeholders when Workbench insights are generated or updated. This playbook can open or update a case for the insight and send email notifications of insight information to specified recipients. Notifications and case updates can include a Generative AI-generated summary of the insight, providing clear and contextual information to support informed decision-making. You can configure the playbook to target specific insights based on score, attack phase, alert severity, or case status.
You must have the XDR Threat Investigation entitlement enabled and the following required data sources configured to create Automated Response Playbooks: XDR Endpoint Sensor or XDR Email Sensor

Procedure

  1. Go to Workflow and AutomationSecurity Playbooks.
  2. On the Playbooks tab, choose AddCreate playbook.
  3. On the Playbook Settings panel, select the XDR detection type, specify a unique name for the playbook, and click Apply.
  4. On the Trigger Settings panel, select Automatic or manual (executed from Workbench) or Manual (executed from Workbench) for the trigger type and click Apply.
    • Automatic or manual (executed from Workbench): Workbench insights automatically trigger playbook execution. Each time an insight is generated or updated, the playbook is triggered. You can also manually trigger playbook execution from Workbench.
      Select Execute playbook automatically only during specified period and specify the days and time periods for automatic execution.
      Note
      Note
      You can specify a maximum of 10 sets of days and time periods in Trigger Settings.
    • Manual (executed from Workbench): You need to manually trigger playbook execution from Workbench.
  5. On the Target Settings panel, select and configure the Target for the playbook and click Apply.
    1. In the Target drop-down list, select Workbench insight.
    2. In the Alert severity within insight drop-down menu, select the severity level of alerts in the Workbench insights that need progression notification.
    3. If you want playbook actions to trigger only for Workbench insights within specific score range, select Filter insights by score, and select a range from the drop-down list or configure a custom range.
    4. If you want playbook actions to trigger only for Workbench insights associated with specific attack phase, select Filter insights by attach phase, and select attach phases from the drop-down list.
    1. Click the add node (plus_icon=e074b462-87df-4630-ab7f-552d598013d7.png) on the right of the Target node and click Condition.
    2. Create a condition setting by specifying the Parameter, Operator, and Value.
      Setting
      Description
      Parameter
      Specify one of the following options as the parameter:
      • Case
      • Insight score
      • Attack phase
      • Alert severity within insight
      Operator
      • IS: The condition is triggered if any of the values is matched
      • IS NOT: The condition is triggered if none of the values is matched
      Value
      Specify the parameter value.
    3. Click Apply.
    4. If you need to add more than one parallel Condition node, click the add node (plus_icon=e074b462-87df-4630-ab7f-552d598013d7.png) on the right of the Target node.
    5. If you need to configure action settings for the Condition node, add an Action node by clicking the add node (plus_icon=e074b462-87df-4630-ab7f-552d598013d7.png) on the right.
      For details, see Step 7.
    6. If you need to configure else-if conditions or else actions, add an Else-If Condition or Else Action node by clicking the add node (plus_icon=e074b462-87df-4630-ab7f-552d598013d7.png) under the Condition node.
      For details, see Step 9.
  7. Configure actions by adding an Action node.
    1. Click the add node (plus_icon=e074b462-87df-4630-ab7f-552d598013d7.png) on the right of the Condition node and click Action.
    2. On the Action Settings panel, configure the case-related actions taken on the targeted Workbench insights.
      Action
      Settings
      Open new case
      1. To include a Generative AI-generated summary of the insight in the new case, click Turn on Generative AI and select Workbench insight summary.
      2. To import relevant contents from other cases, select Import case contents from cases with correlated alerts.
      3. To assign a priority level to the case, select Assign case priority and select the priority level.
      4. To designate case owners from Trend Vision One, select Assign Trend Vision One case owners and select owners from the Owners drop-down list.
      Note
      Note
      If a case already exists for the targeted Workbench insights, the new case settings overwrite the existing case.
      Update existing case
      1. Select the new status for the case from the available options.
        • To do
        • In progress
        • Closed
      2. Choose the relevant findings related to the case.
        • True positive
        • Benign true positive
        • False positive
        • Noteworthy
        • Other findings
      3. If you have additional information or notes, type them into the Comment text box.
    3. Click Apply.
    4. If you need to add more than one parallel action, use the add node (plus_icon=e074b462-87df-4630-ab7f-552d598013d7.png) on the right of the Target or Condition node.
  8. Configure notification settings by adding the second Action node.
    1. Click the add node (plus_icon=e074b462-87df-4630-ab7f-552d598013d7.png) on the right of the first Action node and click Action.
    2. On the Action Settings panel, specify how to notify recipients of insight information.
      Action
      Settings
      Send email notification of insight information
      1. Specify the prefix that appears at the start of the notification subject line.
      2. To include a Generative AI-generated summary of the insight in the email notification, click Turn on Generative AI and select Workbench insight summary.
      3. To include the expanded Workbench insight details with attachments, select Attachments of alert list, Attachments of impact scope, and Attachments of highlighted objects.
      4. Specify the email addresses of recipients.
    3. Click Apply.
  9. Configure Else-If Conditions or Else Actions if necessary.
    1. Click the add node (plus_icon=e074b462-87df-4630-ab7f-552d598013d7.png) below the Condition node and click Else-If Condition or Else Action.
    2. Configure a condition node by following Step 6, or configure an action node by following Step 7 or Step 8.
    Note
    Note
    • The nodes that can be added by using an add node (plus_icon=e074b462-87df-4630-ab7f-552d598013d7.png) vary depending on the preceding node. For example, an Action node can only be possibly followed by another Action node; a Condition node can be followed by an Action node or have an Else-If Condition or Else Action attached to it.
    • When a condition is false, the playbook performs the Else Action or checks if its Else-If Condition is met. If the Else-If Condition is met, the playbook continues to perform the corresponding Else Action.
    • Multiple Action nodes configured in a serial mode are taken sequentially.
  10. Enable the playbook by toggling the Enable control on.
  11. Click Save.
    The playbook appears on the Playbooks tab in the Security Playbooks app.