We changed our name from IT Central Station: Here's why

What is an incident response playbook and how is it used in SOAR?

Hi dear community,

Can you explain what an incident response playbook is and the role it plays in SOAR? How do you build an incident response playbook? 

Do SOAR solutions come with a pre-defined playbook as a starting point?

ITCS user
44 Answers

author avatar
Top 5LeaderboardReal User


what an incident response playbook? 

Incident Response Playbook is the guide lines and group of processes, policies, plans, and procedures, along with appropriate oversight of response activities, that  the organization should take to make a proactive response, quick containment, effective remediation and action plan with "what if" scenario in case of certain cyber incident has taken place.

How do you build an incident response playbook?

Regarding to NIST, to build an Incident Response Playbook you need to design the process which contains 4 main phases:

1- Prepare.

2- Detect and Analyze.

3- Contain, Eradicate and Recover.

4- Post-Incident Handling.

*reference, NIST Computer Security Incident Handling Guide:


*reference, SANS Incident Handler's Handbook:


Do SOAR solutions come with a pre-defined playbook as a starting point?

- Sure, most of SOAR solutions today comes with predefined templates. However, it's a double-bladed weapon based on Cyber Security Awareness and maturity level of the organization. If it's implemented with no or low maturity level, it may harm the organization production and utilize the resources improperly.


author avatar
Top 5Real User

Incident Response playbooks detail how to act when a threat or incident occurs. PICERL - Preparation, Identification, Containment, Eradication, Remediation, Lessons Learned (From SANS).  The playbook outlines what to do at each stage.

Typical SOAR playbooks automate the response to detected threats.

- Create a Ticket to Track the Incident

- Identify the source and target

- Confirm the attack is suspicious (SOC Analyst Lookup, On known blacklist? other events?)

- Contain or Clean the Host (EDR, Patch, Update AV...)

- Block the Known Attacker (on a Firewall, IDS, etc...)

- Disable a Compromised Account

- Notify anyone necessary 

SOAR actions include scripts to set or fire off actions on devices.

A playbook usually has a series of actions when a threat/incident is detected.

Most SOARs include playbooks, but they have to be tailored and customized to the specific devices you have in your environment (Palo Alto Firewall vs. Checkpoint, Cylance vs. McAfee EPO...), Ticketing System integration, SIEM/UEBA threat detection integration...

author avatar
Top 5Real User

Hi Rony, 

Playbook automates the gathering of threat intelligence from a myriad of sources of threat intelligence. Playbooks ingest alerts from tools like SIEM and scan the alerts against the threat intelligence sources like VirusTotal and others in order to get information related to the alert. Playbook for example can scan suspicious domains /IPs against virus total and provide reputation score of the domain/IP.

Depending on the workflow, the playbook may be configured to close a case if it's a false positive or pass the case together with threat intelligence gathered to SOC Analyst for further investigation. This way the playbook will reduce time spent on false-positive alerts. Also saves time for analysts by automatically gathering threat intelligence instead of analysts doing that manually. 

Be careful of cases where you set alerts to be automatically closed though. You can try this on some community editions soar platforms: Splunk phantom, SIEMplify ...

Building a playbook

Magdy has provided perfect industry standards for building playbooks. Just a little, the playbook mainly has actions and decisions. Actions: take an action against an alert (like scanning) and based on the results playbook decides what to do with the results: whether to close, do further scanning using other tools, pass it to the SOC analyst and this really depends on your workflow.

I am a junior but I love this SOAR thing.

author avatar
Top 10Real User

For a given incident type, it describes a series of actions that can be a mixture of automated and manual steps. When you start, the steps are often manual. As the playbook and confidence in the steps improve, you can start automating.

For example a playbook for a “suspicious email” might read as:

1) check if the case is already opened for this user and/or asset, if yes go to step 3open case

2) open case and record details

3) extract suspicious attachment

4) generate MD5 and SHA256 hashes

5) submit hashes to Virustotal and record results

6) if 50% (pick your threshold) of AV engines detect the sample skip to step 10

7) forward email attachment to sandbox

8) does a sandbox report indicate suspicious behavior? If yes escalate to T3

9) inform the user

10) open a ticket to IT to re-template PC or fix

11) when you receive a response from IT about the ticket, then close a SOC ticket with relevant closure details

This is a quick illustration of what steps should be included depending on your environment and how far you go. 

Each step could be related to different teams.

Find out what your peers are saying about Everbridge, PagerDuty, BigPanda and others in IT Alerting and Incident Management. Updated: January 2022.
563,327 professionals have used our research since 2012.