How Cyware's Nested Playbook Capability Helps Achieve Reusability Across Multiple Playbooks

How do Nested Playbooks work?

• At its core, a playbook defines a set of actions that are to be performed in a specific order. While creating a playbook in CSOL, it gives the option to add a different playbook as one of the nodes in the Visual Playbook Editor.
• What this means is that the playbook added as a node will be executed as a subtask during the execution of the master playbook. Thus, CSOL users can create an extended workflow while utilizing a bunch of other playbooks to perform different actions within a master playbook.
• In the CSOL Playbooks module, users can view all the created playbooks along with their associated playbooks which are added as subtasks.

Why does this matter?

• The process of automating all the security processes of an organization may seem simple on the surface but it can open up a pandora’s box if not done smartly. By using nested playbooks, SOC analysts can drastically reduce the time spent on codifying their processes in the form of playbooks.
• Nested playbooks allow SOC analysts to create the playbooks for all the redundant actions that are shared across multiple processes. These sub playbooks can then directly be used to create more complex playbooks without having to reinvent the wheel every time.
• As an example, consider two different playbooks, one for phishing email investigation and another for malware containment. Both these processes will involve several common steps such as creating and updating incident details, analyzing IOCs using external intel sources, quarantining infected systems, and more. Due to the ability to create nested playbooks, analysts only have to write these steps once and then reuse them across the two master playbooks.

The takeaway