07
PLAYBOOKS
Ransomware Kill Chain Interrupt
ENABLEDAutomatically isolate, contain, and neutralize ransomware attacks at any kill chain stage.
Trigger
Ransomware signature OR canary file encryption detected
Actions
01Network isolation of affected host
02Snapshot all attached volumes
03Kill malicious processes
04Deploy canary tokens to adjacent hosts
05Notify SOC team via Slack
Layers:infracontainerdata
97% effectiveTriggered 3x
Last: 50m agoCredential Stuffing Defense
ENABLEDDetect and counter credential stuffing attacks with progressive countermeasures.
Trigger
Failed login rate > 50/min from distributed IPs
Actions
01Enable CAPTCHA challenge
02Apply progressive rate limiting
03Deploy honeypot credentials
04Block known proxy/VPN ranges
05Alert identity team
Layers:identityappnetwork
94% effectiveTriggered 7x
Last: 1h agoContainer Escape Containment
ENABLEDRapid response to container escape attempts with reinforced boundaries.
Trigger
Syscall profile violation OR container namespace breach
Actions
01Apply emergency seccomp profiles
02Block kubelet API access
03Terminate suspicious containers
04Deploy honeypot containers
05Trigger node cordon and drain
Layers:containerinfra
96% effectiveTriggered 2x
Last: 10m agoCloud IAM Anomaly Response
ENABLEDCounter unauthorized IAM changes and privilege escalation in cloud environments.
Trigger
IAM policy change outside change window OR PassRole chain detected
Actions
01Revert IAM policy changes
02Deploy shadow IAM policies
03Rotate affected access keys
04Lock down admin roles
05Generate compliance incident report
Layers:cloudidentity
92% effectiveTriggered 5x
Last: 2h agoDNS Exfiltration Intercept
ENABLEDDetect and intercept data exfiltration via DNS channels.
Trigger
DNS query entropy > threshold OR TXT record volume anomaly
Actions
01Intercept DNS exfiltration channel
02Replace real data with fabricated records
03DNS sinkhole attacker domains
04Seal outbound data channels
05Capture attacker DNS infrastructure
Layers:networkdata
95% effectiveTriggered 1x
Last: 4h agoSupply Chain Attack Response
ENABLEDDetect and neutralize supply chain compromise in CI/CD pipelines.
Trigger
Unsigned binary in pipeline OR suspicious postinstall script
Actions
01Quarantine suspicious package
02Roll back affected builds
03Rotate all CI/CD secrets
04Verify artifact checksums
05Block pipeline execution
Layers:iaacapp
98% effectiveTriggered 1x
Last: 6h agoSocial Engineering Defense
ENABLEDCounter social engineering attacks targeting help desk and IT support.
Trigger
MFA reset for privileged account OR impossible travel detected
Actions
01Sandbox anomalous sessions
02Deploy decoy admin console
03Block admin actions for affected account
04Verify identity through out-of-band channel
05Alert security team
Layers:identitycloud
91% effectiveTriggered 2x
Last: 8h agoEdge Device Brute Force Shield
ENABLEDProtect IoT and edge devices from mass brute force recruitment.
Trigger
Default credential attempts on edge devices > 10/min
Actions
01Block brute force source IPs
02Push firmware updates
03Rotate all default credentials
04Enable network isolation for affected devices
05Report to threat intelligence
Layers:edgenetwork
99% effectiveTriggered 4x
Last: 10h agoData Exfiltration Prevention
ENABLEDMonitor and prevent unauthorized bulk data access and exfiltration.
Trigger
Query volume > 10x baseline OR bulk download from restricted tables
Actions
01Replace query results with synthetic data
02Revoke data access for compromised account
03Deploy additional data canary tokens
04Enable enhanced query logging
05Alert data protection team
Layers:datacloudnetwork
93% effectiveTriggered 2x
Last: 6h agoAPI Abuse Mitigation
ENABLEDDetect and counter API scraping, abuse, and rate limit bypass.
Trigger
Behavioral fingerprint match across distributed IPs
Actions
01Apply unified behavioral rate limit
02Redirect to tarpit endpoint
03Add fingerprint to blocklist
04Deploy CAPTCHA challenge
05Generate abuse report
Layers:appnetwork
90% effectiveTriggered 12x
Last: 7h ago