Playbooks overview

This document provides an overview of the playbooks available to you in the Enterprise tier of Security Command Center.

Alerts, cases, and playbooks are powered by Google Security Operations.


In Security Command Center, use playbooks to explore and enrich alerts, obtain more information about findings, get recommendations about excess permissions in your organization, and automate responses to threats, vulnerabilities, and misconfigurations. When you integrate with ticketing systems, playbooks help you focus on relevant posture findings while ensuring the synchronization between cases and tickets.

The Enterprise tier of Security Command Center provides you with the following playbooks:

  • Threat response playbooks:
    • GCP Threat Response
    • AWS Threat Response
  • Posture findings playbooks:
    • Posture Findings - Generic
    • Posture Findings With Jira (disabled by default)
    • Posture Findings With ServiceNow (disabled by default)
  • Playbook for handling the IAM recommendations:
    • IAM Recommender Response (disabled by default)

The playbooks disabled by default are optional and require you to enable them manually in the Security Operations console before using them.

In the Security Operations console, findings become case alerts. Alerts trigger attached playbooks to execute the configured set of actions for retrieving as much information about alerts as possible, remediating the threat, and, depending on the playbook type, provide the required information to create tickets or manage the IAM recommendations.

Threat response playbooks

The GCP Threat Response playbook processes the Google Cloud threat findings. The AWS Threat Response playbook processes the threat findings originating from Amazon Web Services.

You can execute the threat response playbooks to analyze the threat, enrich the finding using different sources, and suggest and apply a remediation response. Threat response playbooks use multiple services like Google SecOps, Security Command Center, Cloud Asset Inventory, and products like VirusTotal and Mandiant Threat Intelligence to help you obtain as much context about the threat as possible. The playbooks help security analysts understand whether the threat in the environment is a true positive or a false positive and what is the optimal response for it.

To ensure that the threat response playbooks provide you with the full information about threats, see Advanced configuration for threat management.

Posture findings playbooks

Use the posture findings playbooks to analyze the multicloud posture findings, enrich them using the Security Command Center and Cloud Asset Inventory, and highlight the received relevant information in the Case Overview tab. The posture findings playbooks ensure that the synchronization for findings and cases works as expected.

By default, only the Posture Findings - Generic playbook is enabled. If you integrate with Jira or ServiceNow, disable the Posture Findings - Generic playbook and enable the one that is relevant for your ticketing system. To learn more about configuring Jira or ServiceNow, see Integrate Security Command Center Enterprise with ticketing systems.

In addition to investigating and enriching posture findings, the Posture Findings With Jira and Posture Findings With ServiceNow playbooks ensure that the resource owner value (email address) stated in a finding is valid and assignable in the respective ticketing system. Optional posture findings playbooks collect information required to create new tickets and update existing tickets when new alerts are ingested into existing cases.

Playbook for handling the IAM recommendations

Use the IAM Recommender Response playbook to automatically address and apply the recommendations suggested by the IAM recommender. This playbook provides no enrichment and doesn't create tickets even when you have integrated with a ticketing system.

For more details about enabling and using the IAM Recommender Response playbook, see Automate IAM recommendations using playbooks.

What's next?

To learn more about playbooks, refer to the following pages in the Google SecOps documentation: