Out-of-the-box template playbooks 🎯

Below are template playbooks that can be deployed and automated in Security Hub right out of the can (#fish joke).
Each of these playbooks can be modified, extended upon, and match an actual security policy or use case you want to tackle.

Emerging , Auth0 , Identity

Control users permission in Auth0 account

This playbook retrieve organization members as well as their permissions. Validate initial permissions and receive an alert when a permission drifts.

Emerging , Datadog , Identity

Monitor Datadog application keys

This playbook retrieves all application keys available in an organization as well as their scope. Control over time for new values, as well as scope changes, and receive an alert when they happen.

Emerging , Notion , Identity

Monitor Notion bots

This playbook list all your users in your Notion workspace, bots and humands. Create a filter on bot users and monitor which bots have access to your workspace over time.

Emerging , Auth0 , Identity

Monitor Auth0 log streams

This playbook retrieve the status of all log streams in Auth0. Ensure through time that no stream stops, potentially creating a visibility gap.

Emerging , Algolia , Identity

Monitor Algolia keys

This playbook list all keys in an algolia account. You can then monitor date of creation as well as permissions tied to a key to detect drift and potential risks.

Emerging , AWS Cloudtrail , Identity

Correlate Cloudtrail logs with HR

This playbook retrieves all login events in a AWS account. Correlate this information with an HR system to identify when a user logs in during their time-off.

Emerging , AWS EC2 , Compute

Unknown EC2 instance started

This playbook list all your EC2 instances in a given AWS account. In your initial setup, you can whitelist a series of instances name and ids, finally schedule this playbook to validate that no other resources are created or started over time.

Emerging , Airtable , Identity

Monitor Airtable users and permissions

This playbook list all collaborators in a given workspace, as well as permission levles

Emerging , Gitlab , Vulnerability

Monitor Gitlab vulnerabilities

This playbook retrieves vulnerabilities for a given project in Gitlab. Filter on specific level of risks to prioritize remediation and monitor for new vulnerabilities.

Emerging , Datadog , Identity

Monitor Datadog users

This playbook retrieves all users within an organization as well as their roles. Specify your security policy and automate it through time to detect potential misconfigurations.

Nascent , Auth0 , Identity

Control users with access to Auth0 account

This playbook retrieve organization members.

Emerging , Confluence , Identity

Monitor Confluence users

This playbook retrieves the information from a Confluence tenant. Focus on the list of users and monitor evolution through time to detect new access.

Mature , Google Workspace , Identity

Control Google Workspace oauth wide permissions

This playbook list all users logins as well as oauth grants. Validate that no unapproved applications are accessing wide scope permissions.

Mature , Google Workspace , Identity

Monitor Google Workspace logins IPs

This playbook retrieves all oauth with a given Google Workspace account. Either keep a known list of IP associated with users, or enrich IP with geo-information to monitor for risky authentications.

Mature , Cloudflare , Networking

Explore Cloudflare account audit logs

This playbook retrieves audit logs from Cloudflare allowing you to get insights on all action done on the service.

Emerging , Notion , Identity

Monitor Notion users in workspace

This playbook list all your users in your Notion workspace. Either correlate the list of users to your oauth provider, or create a list of known users and receive an alert when a new user appears.

Emerging , AWS Config , Audit

Monitor results from AWS config

This playbook retrieves the results of an audit done in AWS Config. Prioritize remediation and mark justified exception to identify only new risks over time.

Emerging , Google Workspace , Identity

Use Google Workspace oauth to identify shadow application

This playbook list all application where members of your Google workspace have authenticated using their corporate account via oauth. Create a list of known application and receive an alert when new application are added.

Mature , Google Workspace , Identity

Monitor Google Workspace admin activities

This playbook retrieves admin activities in your workspace account, giving you visibility into user actions over time.

Mature , Datadog , Audit

Explore Datadog audit logs

This playbook retrieves audit logs over a specific period of time allowing you to explore and look for specific behaviors.

Nascent , AWS S3 , Storage

S3 buckets with open permissions

This playbook list all your S3 buckets and respective permissions on a given AWS account. Specify your security policy and receive an alert when a misconfiguration occures.

Nascent , AWS Security Group , Networking

Detect

This playbook list all security group in a given aws account, with their configuration. You can filter on security groups with “launch-wizard” and get an alert when one is created.

Mature , Algolia , Application

Investigate Algolia query logs

This playbook retrieve the logs of the latest search and indexing operations (default of last 1,000 API calls). This helps with real-time debugging of your application.

Nascent , CSV , Application

Read a csv

This is not a playbook, or well, it is one where you tell your own story.

Mature , Google Workspace , Identity

Control Google Workspace logins and holidays

This playbook retrieves all oauth with a given Google Workspace account. Enrich logins event with your HR data to validate if a user is attempting to log in during their time-off.

Nascent , AWS S3 , Storage

New S3 bucket created

This playbook list all your S3 buckets on a given AWS account. Create a list of known bucket, and use the scheduler to receive a notification when a new bucket is created.

Mature , Google Workspace , Identity

Control data exfiltration from Google Workspace

This playbook list all export event in your Google Workspace account. Filtering on “export” events allows you to detect data exports, which you can then monitor.

Mature , Cloudflare , Networking

Explore Cloudflare user audit logs

This playbook retrieves audit logs from Cloudflare for a specific user, allowing you to get insights on their behaviors.

Nascent , AWS Security Group , Networking

No AWS security groups allowing reaching port 22 to the world

This playbook list all security group in a given aws account, with their configuration. You can schedule this playbook to validate if a given security group accept incoming ssh connection (on port 22) from anywhere.

...

Book a demo and try Trout Software

Want to chat more?