Skip Navigation

Create a package playbook to respond to events

When a security incident occurs on a device, you can minimize your response time by creating a package playbook. A package playbook allows you to automate the execution of refract packages when an event triggers a Context Analysis Engine (CAE) rule that you have configured in a detection rule set.
Package playbooks support
refract packages only. You can use out-of-the-box refract packages that are available in the management console, or you can add your own custom refract packages. The contents of a package playbook are stored on the device, so they can be executed even if the device is offline. You can create a maximum of 100 package playbooks.
  • If desired, create a
    refract package that can execute on a device when a detection rule is triggered. For more information about creating a custom package, see KB 66563.
  • If you create your own package, you must upload it to the management console. In the console, go to
    CylanceOPTICS > Configurations > Packages
    , then click
    Upload file
  1. In the management console, on the menu bar, click
    CylanceOPTICS > Configurations
    , then click the
  2. Click
    Create Playbook
    If you want to clone an existing package playbook, filer the list of playbooks to the desired playbook and click Clone icon.
  3. Type a name and description.
  4. In the
    Collection Type
    drop-down list, click the location where you want to store the data that the package will collect.
    • Local
      saves the data at the indicated path on the device.
    • If you select
      , or
      , specify the required information.
  5. Click
  6. In the
    drop-down list, click a package that you want to include in the package playbook. If necessary, specify optional command line arguments.
  7. Click
    Add Another Package
    to add additional packages. You can add a maximum of 20 packages to a package playbook.
  8. Click
On the menu bar, click
CylanceOPTICS > Configurations > Rule Sets
. Edit a detection rule set and assign the package playbook to the desired rules. Click
. You can associate up to 10 package playbooks to each detection rule.