Understanding how Playbooks Work, and the Relationship of Runbooks, Knowledge Base Articles and Workflows

Runbooks are used to create an association between published Knowledge Base Articles and Security Incident Response Task. This allows you to implement your needed Playbook in ServiceNow by first creating separate KB articles for each of the required tasks in the Playbook. Using the KB articles for your Playbooks tasks also gives you the enhanced ability to create and present concise, descriptive tasks for your analysts.

Once you've created the KB articles you can then create a Runbook. This is where you will set criteria for which Response Tasks should have a specific KB article attached to them (i.e. - "short description" | "contains" | "Run Malware Scan"). When a new Response Task is created if the criteria in the Runbook matches it will attach the KB article you have specified for that task.

The Playbook itself will be ran from a workflow that you've created to handle the specific type of Security Incident. For instance, if you created a workflow that handles Phishing type incidents it would include in it all the Response Tasks from your Playbook to handle those incidents. Then when a new Security Incident is generated and your "Phishing Playbook" workflow is triggered it would begin generating the Response Tasks contained in the workflow. As the Response Tasks are generated the Runbooks would associate the specific KB articles you’ve defined for each task. The Playbook Name which you would see populated in the new Security Analyst UI is pulled from the "Category"field of the new Security Incident, which is set when your Playbook workflow is

triggered. Response Tasks can then be reused in other workflows and the Runbook will still create the association, eliminating the need to recreate the KB article.

The general processing chain:

1. New Security Incidents are generated from a number of methods.

2. Workflow Triggers evaluates new records on the [sn_si_incident] table.

3. If the new Security Incident matches criteria set in the workflow trigger then that workflow will begin.

4. Certain workflows have been created to address “Playbooks”, containing tasks used to resolve a specific type of threat.

5. As the workflow progresses new Security Incident Response Tasks are generated.

6. Runbook evaluates new Incident Response Tasks on the [sn_si_task] table.

7. If the Incident Response Task matches criteria set in the Runbook then it creates an association between a KB Article and the Security Incident Response Task.

8. The new Security Incident Response Task with the KB Article is then displayed to the user in the New Security Analyst UI within the Playbook