Playbooks
Playbooks are automated response workflows that chain together Sentinel actions. Define them once and trigger them manually via API, or have Sentinel execute them automatically when specific conditions are met.
The playbook object
json
{
"id": "pbk_01hxyz",
"tenant_id": "ten_01hxyz",
"name": "Ransomware containment",
"description": "Isolate affected device, revoke user sessions, block known C2 IPs.",
"trigger": "auto",
"trigger_conditions": {
"incident_type": "ransomware",
"severity": ["critical", "high"]
},
"steps": [
{
"order": 1,
"action": "isolate_device",
"target": "incident.primary_device",
"reason_template": "Ransomware containment playbook — incident {{incident.id}}"
},
{
"order": 2,
"action": "revoke_sessions",
"target": "incident.primary_user",
"reason_template": "Ransomware containment — revoking sessions for {{user.email}}"
},
{
"order": 3,
"action": "notify_analyst",
"params": { "channel": "pagerduty", "priority": "P1" }
}
],
"enabled": true,
"created_by": "usr_01hxyz",
"created_at": "2025-03-01T09:00:00Z"
}Trigger modes
| Name | Type | Required | Description |
|---|---|---|---|
| manual | string | No | Playbook only runs when explicitly triggered via the API or UI. |
| auto | string | No | Sentinel runs the playbook automatically when trigger_conditions match. |
| semi-auto | string | No | Sentinel alerts the analyst and queues the playbook — runs on analyst approval. |
List playbooks
bash
GET /v1/sentinel/playbooks?filter[trigger]=autoCreate a playbook
bash
POST /v1/sentinel/playbooks| Name | Type | Required | Description |
|---|---|---|---|
| name | string | Yes | Descriptive name. |
| trigger | string | Yes | manual | auto | semi-auto |
| trigger_conditions | object | No | Conditions that trigger auto/semi-auto execution. Supports incident_type, severity, affected_asset_type. |
| steps | array | Yes | Ordered list of response actions. |
| enabled | boolean | No | Defaults to true. |
Run a playbook manually
bash
POST /v1/sentinel/playbooks/:id/run
{
"incident_id": "inc_01hxyz",
"context": {
"device_id": "dev_01hxyz",
"user_id": "idn_01hxyz"
}
}Returns 202 Accepted with a playbook run object. Steps execute asynchronously — subscribe to the playbook.run.completed webhook event for completion notification.
Tip:Use
context to pass entity IDs that the playbook steps target. Steps with "target": "incident.primary_device" will fall back to context values if the incident doesn't have a primary device set.Built-in playbooks
- Ransomware containment — isolate device, revoke sessions, block known C2 indicators, notify on-call.
- Phishing response — flag email, revoke sessions for affected users, force MFA re-challenge, quarantine mailbox.
- Credential attack — lock account after N failed attempts, force MFA, alert analyst.
- Lateral movement detection — isolate source device, map affected identities, collect forensics.
- Insider threat — capture forensic snapshot, revoke elevated access, begin evidence preservation.