Anonymous_User Absent Member.
Absent Member.

Customer feedback requested: threat response playbooks!

Hi folks,

For the next release of Sentinel, we're embarking on a substantial
re-work of our threat response workflow with the goal of presenting
operators and analysts with exactly the information they need at exactly
the right time. We've spoken informally with many customers who have
some form of playbook or runbook that they follow for
threat/alert/incident response, and we're using what we know about these
procedures as inspiration for our new designs. But that's where *you*
come in: we'd like to collect many more examples of the types of
activities that you engage in during the response to a detected threat,
the types of information you collect, and what you do with that data.

The detail level we're looking for would be something along the lines
of: "Operator: If you see this type of alert appear in the console,
perform the following actions: take ownership of the alert, then collect
information on (a), (b), and (c). If these indicate a problem, then
escalate the alert to an incident and refer the incident to team X. Team
X: If you see an incident like this, collect information on (d), and
(e), then forward to the desktop team..."

We are of course aware that in many cases this type of runbook may not
be formally written down, but if you are familiar with this type of
activity then any experience you have could be useful. The goal is

- Guide the response team to help them react to threats quickly and
- Automate, where possible, the collection of additional evidence that
might be useful for analysis
- Build a highly usable, flexible, enjoyable user experience

If any of you out there would be willing to contribute your thoughts and
ideas, we would love to work with you. Please reach out to me directly
at '' (, and we'll start
the conversation.

As always, any other general comments about Sentinel and how much you
love it (but if it would just do this one additional thing!) are most


DCorlette's Profile:
View this thread:

1 Reply
Anonymous_User Absent Member.
Absent Member.

Re: Customer feedback requested: threat response playbooks!


It appears that in the past few days you have not received a response to your
posting. That concerns us, and has triggered this automated reply.

Has your issue been resolved? If not, you might try one of the following options:

- Visit and search the knowledgebase and/or check all
the other support options available.
- You could also try posting your message again. Make sure it is posted in the
correct newsgroup. (

Be sure to read the forum FAQ about what to expect in the way of responses:

If this is a reply to a duplicate posting, please ignore and accept our apologies
and rest assured we will issue a stern reprimand to our posting bot.

Good luck!

Your NetIQ Forums Team

The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.