Dynamic Playbooks

The Resilient Dynamic Playbook provides a "guided response" – agile and repeatable incident response plans that are infused with human intelligence and quickly deliver incident data through automation.

The Resilient platform provides a variety of tools to help you design and implement your playbook. The coordinated application of all of these features make dynamic playbooks a powerful tool for accelerating the execution of methodical incident responses processes and, ultimately, remediation of incidents.


Resilient features: Incident Type, Phases, Tasks and Incident Layouts.

These features help you to categorize your events, define the response progression, design your layouts, and organize your data.

The core of a Resilient playbook is its task list. Out-of-the-box playbooks provide tasks to follow NIST and SANS best practice for coordinated response to different types of threats.


Resilient features: Fields and Data Tables.

The security incident is focused on data that you capture and control, surrounded by related events and the business context. The Resilient extensible schema supports your team in tracking and acting upon the information you need.

You can use fields as data capture points for analysis review and to produce metrics. They specifically support incident response actions, reports, list incident views, and analytics dashboards. Fields should be distinct, specific and purposeful.

Data tables are particularly useful for structured “master-detail” data that is observed and managed in an incident, such as: list of affected users with their roles and contact details; compromised machines and their business function and network zone; office locations and resources. They are often used with functions and custom actions, where the information is populated from another security program. In some extensions, users can pivot to initiate capabilities of your security programs directly from a row in the data table.


Resilient features: Rules, Workflows, and Python Scripts.

Rules are the basis of your playbook’s decision-making process. Based on the input, rules determine which process to implement, including which tasks to bring into the incident.

The Resilient standards-based BPMN workflow manages long-running activities in the playbook. Features include tasks, scripts, integration functions, decision paths, and timers that can escalate tasks to keep your incident responders on track.

Python scripts within the Resilient playbook coordinate the way your teams work together, and adjust the response plan as an incident evolves. Automatically reassign incidents and tasks, create milestones and metrics for key events, and work with other incident data.


Resilient features: Functions, Threat Services and other extensions.

These features help you to automate information gathering and decision making.

Functions, when triggered by workflows, send data to a remote function processor, perform an activity then return the results to the workflow. Functions can perform sophisticated operations, such as performing lookups, sending attachments for analysis and adding the resulting report to the incident, and triggering an external action and then returning results for use in decision-making processes.

The Resilient platform includes “built-in” threat services. When artifacts are added to incidents, the Resilient platform can search for those artifacts in several cyber threat sources that have been integrated into the product. If the artifact is found in one or more of these threat sources, it is highlighted in red and additional information about the “hit” is displayed.

You can also include your own custom threat services that allow you to provide artifact scanning from your own threat sources, or provide additional scanning beyond what the Resilient platform provides.

As described in Resilient Extensions, these are the integrations to other security systems, such as BigFix, QRadar, Splunk and more, where data is passed to and from the Resilient platform to coordinate and automate your incident response.

See the Reference page for a list of communities and documentation.