Creating a Playbook

Role Availability Read-Only Investigator Analyst Manager

Each playbook comprises one or more actions, and is associated with an alarm rule An alarm rule correlates incoming events based on predefined or user-configured critera to trigger alarms in USM Anywhere when that event or sequence of events requires attention or investigation. in USM Anywhere. When an alarm is triggered based off of that alarm rule, users will have the option to run a playbook and execute one or all of the actions within that playbook as part of their response to the alarm in USM Anywhere.

Creating a New Playbook

To create a playbook from the Playbooks page

  1. Go to Settings > Playbooks and navigate to the My Playbooks tab.
  2. Click Create Playbook.
    Click Create Playbook from your My Playbooks tab to create a new playbook.
  3. Enter a name and description for your playbook.
  4. (Optional.) Use the Alarm Rule Assignment to associate your playbook with one or more alarm rules. Your playbook will only be available on alarms generated from these alarm rules.

Note: Toggle the Assign Now button to Assign Later if you would like to skip this step. Your playbook will then be available on all alarms.

  1. Under the Actions section, assign an action to your playbook.
    If your playbook does not have at least one action configured, the Create Playbook button will be disabled until you add an action.

    2. Actions in a playbook must be completed in the order in which they are configured. Take care when assigning actions to your playbook to ensure that they are in the correct sequence.
    You can drag and drop individual actions within the Actions section to ensure that they are in the right order.

    Action Types for Use in a Playbook
    Column Description
    App-Specific Actions that USM Anywhere will execute through or on behalf of a specific AlienApp.
    You can only select actions associated with apps that are enabled in your instance.
    Manual Actions that a user must complete manually.
    These actions appear in USM Anywhere as text descriptions of the action the user must execute.
    System Actions related to USM Anywhere system events which the product will execute.
    • To assign an app-specific action:
      1. Use the Action Type dropdown to select the appropriate AlienApp from the list.
      2. Use the App Action dropdown to select an action from the list of actions available for that app.
    • To assign a manual action:
      1. Use the Action Type dropdown to select Manual Action.
      2. Use the App Action text field to type a description of the manual action that a user should take at this step.
    • To assign a system action:
      1. Use the Action Type dropdown to select System Action.
      2. Use the App Action dropdown to select a system action from the list.

Warning: Actions in a playbook must be completed in the order in which they are configured. Take care when assigning actions to your playbook to ensure that they are in the correct sequence.
You can drag and drop individual actions within the Actions section to ensure that they are in the right order before creating your playbook, or edit an existing playbook to change the order of its actions.

  1. (Optional.) Click Add Action to add another action to your playbook.
  2. When you have completed all of your actions, click Create Playbook.
    Your new playbook will now be visible in the My Playbooks tab.