Create a package playbook to respond to events
When a security incident occurs on a device, you can minimize your response time by creating a package playbook. A package playbook allows you to automate the execution of refract packages when an event triggers a Context Analysis Engine (CAE) rule that you have configured in a detection rule set.
Package playbooks support
Pythonrefract packages only. You can use out-of-the-box refract packages that are available in the management console, or you can add your own custom refract packages. The contents of a package playbook are stored on the device, so they can be executed even if the device is offline. You can create a maximum of 100 package playbooks.
- If desired, create aPythonrefract package that can execute on a device when a detection rule is triggered. For more information about creating a custom package, visit support.blackberry.com/community to read article 66563.
- If you create your own package, you must upload it to the management console. In the console, go toCylanceOPTICS > Configurations > Packages, then clickUpload file.
- In the management console, on the menu bar, clickCylanceOPTICS > Configurations, then click thePlaybookstab.
- ClickCreate Playbook.If you want to clone an existing package playbook, filer the list of playbooks to the desired playbook and click .
- Type a name and description.
- In theCollection Typedrop-down list, click the location where you want to store the data that the package will collect.
- Localsaves the data at the indicated path on the device.
- If you selectSFTP,SMB, orS3, specify the required information.
- In thePackagedrop-down list, click a package that you want to include in the package playbook. If necessary, specify optional command line arguments.
- ClickAdd Another Packageto add additional packages. You can add a maximum of 20 packages to a package playbook.
On the menu bar, click
CylanceOPTICS > Configurations > Rule Sets. Edit a detection rule set and assign the package playbook to the desired rules. Click
Confirm. You can associate up to 10 package playbooks to each detection rule.