Create a package playbook to respond to events

When a security incident occurs on a device, you can minimize your response time by creating a package playbook. A package playbook allows you to automate the execution of refract packages when an event triggers a Context Analysis Engine (CAE) rule that you have configured in a detection rule set.

Package playbooks support Python refract packages only. You can use out-of-the-box refract packages that are available in the management console, or you can add your own custom refract packages. The contents of a package playbook are stored on the device, so they can be executed even if the device is offline. You can create a maximum of 100 package playbooks.

  • Create a detection rule set.
  • If desired, create a Python refract package that can execute on a device when a detection rule is triggered. For more information about creating a custom package, see KB 42221254280219.
  • If you create your own package, you must upload it to the management console. In the console, go to CylanceOPTICS > Configurations > Packages, then click Upload file.
  1. In the management console, on the menu bar, click Focus > Configurations, then click the Playbooks tab.
  2. Click Create Playbook.
    If you want to clone an existing package playbook, filer the list of playbooks to the desired playbook and click Clone icon.
  3. Type a name and description.
  4. In the Collection Type drop-down list, click the location where you want to store the data that the package will collect.
    • Local saves the data at the indicated path on the device.
    • If you select SFTP, SMB, or S3, specify the required information.
  5. Click Next.
  6. In the Package drop-down list, click a package that you want to include in the package playbook. If necessary, specify optional command line arguments.
  7. Click Add Another Package to add additional packages. You can add a maximum of 20 packages to a package playbook.
  8. Click Save.
On the menu bar, click Focus > Configurations > Rule Sets. Edit a detection rule set and assign the package playbook to the desired rules. Click Confirm. You can associate up to 10 package playbooks to each detection rule.