Skip to main content

Types of Playbooks in AirMDR

AirMDR supports three primary types of playbooks. Each serves a distinct purpose and operates under different trigger or scheduling mechanisms.

⚠️ Alert Triage Playbooks

Alert triage playbooks are used to fetch alerts from external systems and/or investigate alerts that have already been saved in AirMDR. There are two primary use cases:
  • Fetching alerts from external sources: These playbooks are typically scheduled to run at regular intervals. For example, every 15 seconds, the playbook might poll an external API for new alerts. These playbooks are configured using SCHEDULES under the Activations tab for the playbook.
  • Investigating saved alerts: These playbooks are triggered when an alert is saved in AirMDR that matches specific criteria, such as a particular product or alert type. You can define these criteria using simple filters or regex-based matching. These playbooks are configured using TRIGGERS under the Activations tab for the playbook.

🕵️ Detection Playbooks (Currently for ASO users only)

Detection playbooks are used to analyze raw log data from various sources in order to detect suspicious behavior. The log sources could be native sources like AWS, GCP, O365 or logs from SIEM’s. These playbooks are typically scheduled to run at regular intervals. These playbooks:
  • Use a powerful query engine to process data
  • Can be scheduled to run periodically
  • Can specify:
    • Which log data to pull (e.g., from AWS CloudTrail)
    • The connection to use
    • The time range for the logs
⚠️ Detection playbooks are currently available only to AirMDR users to create threat detections but can be deployed for AirMDR customers.

🔁 Case Automation Playbooks

Case automation playbooks monitor changes to cases within AirMDR and automatically perform actions based on those changes. Examples include:
  • Auto-closing related alerts when a case is marked as resolved.
  • Assigning owners when a case is escalated.
  • Notifying a Slack channel when a case’s severity changes.
These playbooks require a trigger, which is defined by:
  • The case action (e.g., “status changed to Closed”)
  • Optional additional conditions (e.g., only for cases with severity “High”)
Unlike alert triage or detection playbooks, these are not run on a schedule, because they are activated based on triggers.

Playbook Structure

🏷 Metadata

Each playbook includes:
  • name: Human-readable identifier
  • description: Purpose of the playbook
  • scope
    • Personal: Only the creator has access.
    • Org: Available to all users within the organization and ancestor orgs.
    • Shared: Inherited by descendant orgs of the creator org.
Orgplaybooks are visible to all users in the org and its ancestors.
Shared playbooks are accessible to all descendant orgs.

🧠 Steps & Automation

  • Written in English and these steps are then automated by Darryl, AirMDR’s AI assistant.
  • Can contain skills, logic, Parameters, runtime inputs, or data dependencies, and more.
  • Features: You can view playbook in various pre-defined formats (as required).
    • Split view (steps vs. automation)
    • Step-by-step execution
    • Manual or AI-assisted refinement
  • Supports if conditions, for loops, and skill chaining.

🚀 Running Playbooks

✅ Manual

Run playbooks by providing input values and executing all steps immediately or individually step-by-step. You can run playbooks manually from the UI:
  • Input required runtime values
  • Run all steps together or step-by-step
  • Useful for testing or ad hoc executions

⏱ Automated

To automate playbook execution:
  • Use Schedules for time-based runs (e,g., fetching alerts or logs from an external source)
  • Use Triggers for event-based runs (e.g., alert saved, case updated)
Set Schedules or Triggers under the Activations tab.
The Activations tab allows you to configure either method depending on the playbook type.

Activations by Playbook Type

🔔 Alert Triage Activations

  • Schedule: Periodically fetch alerts.
  • Trigger: Respond to saved alerts based on:
    • Alert Type
    • Product Source
    • Regex match

🧪 Detection Activations

  • Schedule only:
    • Choose log source, connection, and time window.

📌 Case Automation Activations

  • Trigger required:
    • Example: Run when a case is marked Closed.
    • Optional filters based on case properties.

✍️ Creating Playbooks

You can create new Alert Triage playbooks in AirMDR in one of three ways:

1. Auto-Generate with an Alert

  • Choose an alert from AirMDR
  • Darryl will analyze it and generate a playbook to investigate or respond
  • You can modify the steps as needed

2. Start with Plain English

  • Manually write the steps of the playbook in natural language
  • Ask Darryl to automate them all at once or one by one
  • Add logic or refine parameters if needed

3. Auto-Generate with a Prompt

  • Provide a high-level prompt (e.g., “Detect failed logins from AWS and escalate”)
  • Darryl will generate a complete playbook
  • Review and adjust the generated automation
Modify or enhance with manual inputs
Use @ to reference:
  • Outputs from previous steps
  • Trigger attributes
  • Runtime inputs

⚙️ Automation Internals: How Darryl Works

When you describe a step in English, Darryl:
  1. Interprets your intent
  2. Selects skills to match the described action
  3. Determines logic such as if or for
  4. Resolves necessary inputs and dependencies
  5. Suggests automation, which you can approve or edit
You can also:
  • Manually modify logic
  • Inject additional skills
  • Change parameters
  • Run a step and inspect its output
Darryl learns from user behavior over time but is not infallible. Always verify automation results.

📤 Versioning & Publishing

📝 Draft Mode

  • Every new playbook starts as a Draft, fully editable
  • Once validated, you can publish it (creates Version 1)

🚢 Publishing

  • Publish to create Version 1 (V1).
  • Publishing a playbook makes it eligible for automation:
    • Only published playbooks can be executed via Triggers or Schedules
    • Only published playbooks can be called as sub-playbooks from within other playbooks.

♻️ Updates (Making Changes)

  • Editing a published playbook creates a new Draft (V2).
  • Existing version (e.g., V1) continues to run with active triggers/schedules until replaced.
  • Ensure all activations support new runtime inputs.
  • When ready, publish again to create new versions (V2, V3, etc.)
    After publishing a new version, always review Triggers and Schedules to ensure they support any new runtime parameters.

🧭 Best Practices

  • Always test in Draft before publishing.
  • Use Org or Shared scope for collaboration.
  • Validate steps manually before publishing.
  • Keep playbooks modular and maintainable.
  • Use triggers for responsive workflows, and regularly audit triggers and schedules.
  • Periodically review AI-generated steps for accuracy.
  • Review automation generated by Darryl AI to avoid errors.
  • Document the playbook’s purpose and logic in the description.

📌 Summary

AirMDR Playbooks provide a secure, flexible, and intelligent automation framework tailored for modern cybersecurity teams. By combining AI-driven logic with natural language input, structured workflows, and clear automation visibility, they simplify response, triage, and detection operations at scale. With robust execution pathways and flexible activation methods, Playbooks empower security teams to operate with greater speed, precision, and control.
For advanced configurations, refer to the full AirMDR documentation or contact your solution engineer.