Network Proactive Response Example Playbook
Important
When configuring playbooks for Proactive Response, the playbook name must match the trigger name and follow the Proactive Response Naming Convention.
NDR IP Blocking and IP Block Removal Playbook Configurations ⫘
Note
When IP blocks (shuns) are applied to NDR Devices as a Proactive Response Action, the block is deployed to all of the tenant’s healthy NDR Devices. To remove an IP block, clients can leverage the NDR Unblock playbook and target the relevant NDR Device(s).
- Configure an NDR Block playbook for the IP Block action using the trigger parameters shown below. For more information about adding a new playbook, see Create a New Playbook.
- Enter
M_iSensorBlockin the Playbook Details Name field. - Select User Initiated for the Trigger Type.
- Select Response Action for the Category.
- Select Asset for the Context.
- Enter
M_iSensorBlockin the Trigger Source Name field. - Under When does this playbook run?, select Only When and then enter
falsein the Trigger Filter field
Note
The NDR Block playbook does not have actions listed in the dropdown, it must be executed manually.
Playbook for deploying IP blocks to the NDR Device
Note
Each playbook has built-in documentation that walks through the steps to create a new playbook. Select Documentation from a playbook template or configured playbook in XDR to open this in a new tab and follow the guidance there.
- Configure an NDR Unblock playbook for the IP Block Removal action using the trigger parameters shown below. For more information about adding a new playbook, see Create a New Playbook.
- Enter
M_iSensorUnBlockin the Playbook Details Name field. - Select User Initiated for the Trigger Type.
- Select Response Action for the Category.
- Select Asset for the Context.
- Enter
M_iSensorUnBlockin the Trigger Source Name field. - Under When does this playbook run?, select Only When and then enter
falsein the Trigger Filter field
Note
The NDR Unblock playbook does not have actions listed in the dropdown, it must be executed manually.
Playbook for removing IP blocks from the NDR Device
Note
Each playbook has built-in documentation that walks through the steps to create a new playbook. Select Documentation from a playbook template or configured playbook in XDR to open this in a new tab and follow the guidance there.