SOAR Playbook Template¶

Use this template to document SOAR automation playbooks. Per Nexus SecOps-204, all playbooks MUST be documented, peer-reviewed, tested in non-production, and have rollback procedures before deployment.

Playbook Metadata¶

Field	Value
Playbook ID	PB-[XXX]
Title	[Action or scenario name]
Version	1.0
Status	☐ Draft ☐ Testing ☐ Approved ☐ Retired
Trigger	[SIEM alert / manual / scheduled]
Owner	[Team]
Last Tested	[Date]
Approved By	[Name / Role]
Rollback Procedure	[Reference or description]
Nexus SecOps Control	Nexus SecOps-097, Nexus SecOps-099

Purpose¶

One sentence: [What does this playbook do and why?]

Trigger condition: [Describe exactly what condition triggers this playbook. Be specific enough that no false triggers occur.]

Impact level: - ☐ Low — Enrichment only; no blocking or disruptive actions - ☐ Medium — Notification; creates tickets; no blocking - ☐ High — Blocks access; isolates resources; requires human gate

Pre-Conditions¶

This playbook requires: - [ ] [Tool/API/integration name]: Connected and authenticated - [ ] [Permissions required]: [Service account name/role] - [ ] [Data required in alert]: [List required fields that must be present for playbook to run]

Playbook Logic¶

Stage 1: Input Validation¶

IF alert.severity NOT IN ["high", "critical"]:
    STOP — severity below threshold
IF alert.host IS NULL:
    STOP — required field missing; create ticket for manual triage
IF alert.user IS NULL:
    LOG warning — user context unavailable, proceeding with host context only

Stage 2: Automated Enrichment¶

Action	Tool/API	Output	Error Handling
Lookup host in CMDB	[Tool]	Asset criticality, owner	If not found: tag as "unregistered"
Lookup user in AD	[Tool]	Role, manager, groups	If not found: continue with partial context
Check IP reputation	[TIP/VirusTotal]	Malicious score, category	If API unavailable: skip, flag for manual
Check file hash	[TIP/VirusTotal]	Known malware family	If API unavailable: skip

Stage 3: Risk Scoring¶

# Pseudo-code for risk scoring logic
base_score = alert.severity_score  # Critical=10, High=7, Medium=4, Low=1

if asset.criticality == "critical":
    base_score += 3
if user.is_admin:
    base_score += 2
if ip_reputation.malicious:
    base_score += 4
if hash_reputation.known_malware:
    base_score += 5
if alert.correlated_alerts_24h > 2:
    base_score += 2

total_risk = min(base_score, 20)

if total_risk >= 15:
    route_to = "Tier 2 immediate"
elif total_risk >= 10:
    route_to = "Tier 2 standard"
else:
    route_to = "Tier 1 queue"

Stage 4: Human Decision Gate¶

Nexus SecOps-099 requires human approval for all high-impact actions. This gate CANNOT be bypassed in production.

Gate trigger: If any of the following: - Planned action is account disable, host isolation, or network block - Total risk score ≥ 15 - Asset criticality is "critical"

Gate behavior: 1. Playbook PAUSES 2. Human analyst receives notification with: enrichment summary, risk score, proposed action, approve/deny buttons 3. Timeout: 15 minutes (after which: escalate, do NOT auto-approve) 4. Analyst approves → proceed to Stage 5 5. Analyst denies → log denial, close with reason, no action taken

Gate notification format:

[PLAYBOOK APPROVAL REQUIRED]
Playbook: {PLAYBOOK_NAME} (PB-XXX)
Alert: {ALERT_NAME} on {HOST} / {USER}
Risk Score: {SCORE}/20
Proposed Action: {ACTION}
Enrichment: {BRIEF_SUMMARY}

[APPROVE] [DENY] [ESCALATE]
Decision required within 15 minutes.

Stage 5: Automated Actions (post-approval)¶

Document each action in sequence:

Action 1: [Action Name] - Tool/API: [Name] - API endpoint: [If applicable] - Parameters: [What values are passed] - Success condition: [How do we know it worked?] - Failure handling: [If this step fails, do X] - Audit log entry: [What is recorded]

Action 2: [Action Name] [Repeat for each action]

Stage 6: Ticket Creation / Case Update¶

[ ] Create incident ticket (if not already exists)
[ ] Record: trigger, enrichment results, risk score, analyst decision, actions taken, timestamps
[ ] Assign ticket to: [Tier / Queue]
[ ] Set SLA timer: [Based on severity]

Stage 7: Notification¶

Recipient	Condition	Channel	Template
Tier 1 analyst	All cases	Case queue	Auto-assignment
Tier 2 analyst	Risk ≥ 10	SIEM + Slack	[Template ref]
Manager	Risk ≥ 15	Email + Slack	[Template ref]
CISO	Critical asset + high risk	Phone + Email	[Template ref]

Rollback Procedure¶

If this playbook produces an incorrect action (false positive containment), reverse with:

Action Taken	Reversal Action	Who	Time Estimate
Account disabled	Re-enable account in AD	Tier 2 analyst	2 minutes
Host isolated	Remove isolation via EDR	Tier 2 analyst	1 minute
IP blocked at firewall	Remove firewall rule	Network engineer	10 minutes

Rollback trigger: Analyst can trigger rollback from the ticket by clicking [Rollback] button (available for 4 hours post-action).

Testing Requirements¶

Per Nexus SecOps-100, this playbook MUST be tested before deployment:

Test Case	Input	Expected Output	Result
True positive alert	[Synthetic TP event]	Enrichment + Gate fires	☐ Pass ☐ Fail
False positive alert	[Known FP event]	Low risk score; T1 queue	☐ Pass ☐ Fail
Missing required field	Alert with null host	Graceful stop; manual ticket	☐ Pass ☐ Fail
API unavailable	[Mock API timeout]	Skip step; continue; flag	☐ Pass ☐ Fail
Gate timeout	No analyst response	Escalate; no auto-action	☐ Pass ☐ Fail
Gate deny	Analyst denies action	No action; reason logged	☐ Pass ☐ Fail

Metrics¶

Track these metrics for continuous improvement:

Metric	Target	Measurement Method
Playbook execution time	≤ 2 minutes (pre-gate)	SOAR platform timing
Gate approval rate	N/A (track for tuning)	Gate decision log
False positive rate (unnecessary gates)	< 20%	Manual review of denials
API error rate	< 5%	SOAR error log
Rollback rate	< 5%	Rollback audit log

Change History¶

Version	Date	Change	Author
1.0	[Date]	Initial creation	[Author]

Playbook template v1.0 | Nexus SecOps-097, Nexus SecOps-099 compliant | Peer review required before approval