Out-of-the-box template playbooks 🎯
Below are template playbooks that can be deployed and
automated in Security Hub right out of the can (#fish joke).
Each of these playbooks can be modified,
extended upon, and match an actual security policy or use case you want to tackle.
Emerging , Auth0 , Identity
Control users permission in Auth0 account
This playbook retrieve organization members as well as their permissions. Validate initial permissions and receive an alert when a permission drifts.
Emerging , Datadog , Identity
Monitor Datadog application keys
This playbook retrieves all application keys available in an organization as well as their scope. Control over time for new values, as well as scope changes, and receive an alert when they happen.
Emerging , Notion , Identity
Monitor Notion bots
This playbook list all your users in your Notion workspace, bots and humands. Create a filter on bot users and monitor which bots have access to your workspace over time.
Emerging , Auth0 , Identity
Monitor Auth0 log streams
This playbook retrieve the status of all log streams in Auth0. Ensure through time that no stream stops, potentially creating a visibility gap.
Emerging , Algolia , Identity
Monitor Algolia keys
This playbook list all keys in an algolia account. You can then monitor date of creation as well as permissions tied to a key to detect drift and potential risks.
Emerging , AWS Cloudtrail , Identity
Correlate Cloudtrail logs with HR
This playbook retrieves all login events in a AWS account. Correlate this information with an HR system to identify when a user logs in during their time-off.
Emerging , AWS EC2 , Compute
Unknown EC2 instance started
This playbook list all your EC2 instances in a given AWS account. In your initial setup, you can whitelist a series of instances name and ids, finally schedule this playbook to validate that no other resources are created or started over time.
Emerging , Airtable , Identity
Monitor Airtable users and permissions
This playbook list all collaborators in a given workspace, as well as permission levles
Emerging , Gitlab , Vulnerability
Monitor Gitlab vulnerabilities
This playbook retrieves vulnerabilities for a given project in Gitlab. Filter on specific level of risks to prioritize remediation and monitor for new vulnerabilities.
Emerging , Datadog , Identity
Monitor Datadog users
This playbook retrieves all users within an organization as well as their roles. Specify your security policy and automate it through time to detect potential misconfigurations.
Nascent , Auth0 , Identity
Control users with access to Auth0 account
This playbook retrieve organization members.
Emerging , Confluence , Identity
Monitor Confluence users
This playbook retrieves the information from a Confluence tenant. Focus on the list of users and monitor evolution through time to detect new access.
Mature , Google Workspace , Identity
Control Google Workspace oauth wide permissions
This playbook list all users logins as well as oauth grants. Validate that no unapproved applications are accessing wide scope permissions.
Mature , Google Workspace , Identity
Monitor Google Workspace logins IPs
This playbook retrieves all oauth with a given Google Workspace account. Either keep a known list of IP associated with users, or enrich IP with geo-information to monitor for risky authentications.
Mature , Cloudflare , Networking
Explore Cloudflare account audit logs
This playbook retrieves audit logs from Cloudflare allowing you to get insights on all action done on the service.
Emerging , Notion , Identity
Monitor Notion users in workspace
This playbook list all your users in your Notion workspace. Either correlate the list of users to your oauth provider, or create a list of known users and receive an alert when a new user appears.
Emerging , AWS Config , Audit
Monitor results from AWS config
This playbook retrieves the results of an audit done in AWS Config. Prioritize remediation and mark justified exception to identify only new risks over time.
Emerging , Google Workspace , Identity
Use Google Workspace oauth to identify shadow application
This playbook list all application where members of your Google workspace have authenticated using their corporate account via oauth. Create a list of known application and receive an alert when new application are added.
Mature , Google Workspace , Identity
Monitor Google Workspace admin activities
This playbook retrieves admin activities in your workspace account, giving you visibility into user actions over time.
Mature , Datadog , Audit
Explore Datadog audit logs
This playbook retrieves audit logs over a specific period of time allowing you to explore and look for specific behaviors.
Nascent , AWS S3 , Storage
S3 buckets with open permissions
This playbook list all your S3 buckets and respective permissions on a given AWS account. Specify your security policy and receive an alert when a misconfiguration occures.
Nascent , AWS Security Group , Networking
Detect
This playbook list all security group in a given aws account, with their configuration. You can filter on security groups with “launch-wizard” and get an alert when one is created.
Mature , Algolia , Application
Investigate Algolia query logs
This playbook retrieve the logs of the latest search and indexing operations (default of last 1,000 API calls). This helps with real-time debugging of your application.
Nascent , CSV , Application
Read a csv
This is not a playbook, or well, it is one where you tell your own story.
Mature , Google Workspace , Identity
Control Google Workspace logins and holidays
This playbook retrieves all oauth with a given Google Workspace account. Enrich logins event with your HR data to validate if a user is attempting to log in during their time-off.
Nascent , AWS S3 , Storage
New S3 bucket created
This playbook list all your S3 buckets on a given AWS account. Create a list of known bucket, and use the scheduler to receive a notification when a new bucket is created.
Mature , Google Workspace , Identity
Control data exfiltration from Google Workspace
This playbook list all export event in your Google Workspace account. Filtering on “export” events allows you to detect data exports, which you can then monitor.
Mature , Cloudflare , Networking
Explore Cloudflare user audit logs
This playbook retrieves audit logs from Cloudflare for a specific user, allowing you to get insights on their behaviors.
Nascent , AWS Security Group , Networking
No AWS security groups allowing reaching port 22 to the world
This playbook list all security group in a given aws account, with their configuration. You can schedule this playbook to validate if a given security group accept incoming ssh connection (on port 22) from anywhere.