Skip to content

Runbooks and Playbooks

This section contains operational runbooks, playbook templates, and alert-specific response guides for security operations teams.

What's Here

Document Type Purpose
Runbook Template Template Standard template for creating new investigation runbooks
Playbook Template Template Standard template for creating SOAR automation playbooks
Identity Anomaly Runbook Runbook Triage and investigation of identity anomaly alerts
Endpoint Malicious Behavior Runbook Runbook Triage and investigation of endpoint malicious behavior alerts
Cloud Misconfiguration Runbook Runbook Response to cloud security misconfiguration findings
Data Exfiltration Runbook Runbook Investigation of suspected data exfiltration alerts
Ransomware Negotiation & Recovery IR Playbook Ransomware negotiation strategy, payment decisions, and staged recovery
AI/ML Incident Response IR Playbook AI-specific incident response for model poisoning, prompt injection, data compromise

Runbook vs. Playbook

Runbook Playbook
Executed by Human analyst SOAR automation (with human gates)
Format Step-by-step checklist / decision tree Automated workflow logic
Flexibility High — analyst uses judgment Low — follows defined logic
Speed Minutes to hours Seconds to minutes
Audit trail Ticket notes Automated playbook log
Change control Nexus SecOps-203 Nexus SecOps-204

Creating New Runbooks

All new runbooks MUST:

  1. Use the Runbook Template
  2. Include MITRE ATT&CK technique mappings
  3. Define triage decision points clearly
  4. Be peer-reviewed by at least one Tier 2 analyst
  5. Be tested against a synthetic or historical incident before production use
  6. Be version-controlled in the team's runbook repository
  7. Be reviewed at least annually or after a significant incident reveals a gap

Version History

Version Date Change Summary Author
1.0 Initial release All runbooks Nexus SecOps Team

Related: Templates | Labs | Nexus SecOps Controls: AUT Domain