Digital Guardian Demo Playbook

This playbook will show how to handle an exfiltration event through Digital Guardian by emailing a user's manager and adding the user to a DG Watchlist.

Digital Guardian · 15 tasks · 4 inputs · 0 outputs

Inputs

  • User Name — User Name to check
  • Watchlist Name — The name of the DG watchlist to add the user to.
  • Incident Match — The incident name should contain this string in order for the playbook to handle the event. The default is DLP1008 which is a USB Exfiltration event.
  • Notify Manager — Notify User's Manager

Commands used

closeInvestigation digitalguardian-add-watchlist-entry send-mail

Flowchart

yes yes yes yes yes yes Start Start Check if Event matches the condition Check if Event matches th... Send the Manager email about the violation - send-mail Send the Manager email ab... send-mail Close incident - closeInvestigation Close incident closeInvestigation Found user in AD Found user in AD Add user to the DG Watchlist - digitalguardian-add-watchlist-entry Add user to the DG Watch... digitalguardian-add-watchlist... Manually handle other alert type Manually handle other ale... Active Directory - Get User Manager Details - Active Directory - Get User Manager Details Active Directory - Get Us... Active Directory - Get User M... Account Enrichment - Generic v2.1 - Account Enrichment - Generic v2.1 Account Enrichment - Gene... Account Enrichment - Generic ... Shall we notify the manager? Shall we notify the manager? Is User's Manager email found? Is User's Manager email f... Manually Notify Manager Manually Notify Manager Manually Investigate Manually Investigate Is Digital Guardian Enabled? Is Digital Guardian Enabled? Done Done