Actions playbooks

S4E On-Prem includes the same Actions and Playbooks framework available in the Cloud edition. These features enable automated and semi-automated responses to security findings, executed entirely within your local environment.

Overview

Actions are individual operations that can be triggered manually or automatically in response to scan findings. Playbooks are sequences of actions that define a complete remediation or response workflow.

In On-Prem deployments, all action execution happens locally -- no data is sent to external services unless you explicitly configure an outbound integration.

Actions

What is an Action?

An action is a discrete operation triggered by a scan result or user interaction. Actions can:

  • Send notifications (email, Slack, Microsoft Teams, webhook)
  • Create tickets in external systems (Jira, ServiceNow)
  • Execute remediation scripts
  • Update asset metadata
  • Trigger follow-up scans
  • Export findings to SIEM systems

Built-in Action Types

Action Type Description
Notification Send alerts via email, Slack, or Teams when findings match specified criteria
Webhook POST finding data to an HTTP endpoint for integration with custom tooling
Ticket Creation Automatically create issues in Jira, ServiceNow, or other ITSM platforms
Rescan Trigger a follow-up scan on the affected asset after a specified delay
Tag Update Automatically tag assets based on finding severity or type
Export Push findings to a SIEM (Splunk, QRadar) or data lake

Configuring Actions

  1. Navigate to Settings > Actions in the web interface.
  2. Click Create Action.
  3. Select the action type.
  4. Define the trigger conditions:
    • Finding severity (Critical, High, Medium, Low, Informational)
    • Scan type or category
    • Asset group or tag
    • Specific vulnerability identifiers
  5. Configure the action parameters (endpoint URL, credentials, template).
  6. Save and enable the action.

On-Prem network access

For webhook and ticket-creation actions, ensure that the s4e-core pods can reach the target service. If the integration target is outside your cluster, configure appropriate egress rules.

Action Execution

Actions are processed asynchronously through RabbitMQ:

  1. A scan completes and findings are persisted to PostgreSQL.
  2. s4e-core evaluates configured action triggers against the new findings.
  3. Matching actions are published to the actions queue in RabbitMQ.
  4. The action worker consumes and executes each action.
  5. Execution results (success, failure, retry) are logged and visible in the action history.

Playbooks

What is a Playbook?

A playbook is an ordered sequence of actions that defines a complete response workflow. Playbooks allow you to chain multiple actions together with conditional logic, delays, and approval gates.

Example Playbook: Critical Finding Response

1. [Immediate]  Send Slack notification to #security-alerts
2. [Immediate]  Create Jira ticket (Priority: Critical)
3. [Delay: 1h]  Trigger rescan to confirm finding
4. [Conditional] If finding persists:
   4a. Escalate Jira ticket
   4b. Send email to CISO
5. [Delay: 24h] Generate compliance report

Creating a Playbook

  1. Navigate to Settings > Playbooks.
  2. Click Create Playbook.
  3. Define the trigger conditions (same criteria as individual actions).
  4. Add action steps in sequence:
    • Select an existing action or create a new one inline.
    • Set timing (immediate, delayed, or conditional).
    • Configure conditional branches based on previous step outcomes.
  5. Save and activate the playbook.

Playbook Features

Feature Description
Sequential execution Actions run in defined order with dependency tracking
Conditional branching Execute different paths based on action outcomes or finding state
Delay steps Wait a specified duration before proceeding
Approval gates Pause execution until a designated user approves
Retry logic Automatically retry failed actions with configurable backoff
Audit trail Complete execution history for compliance and review

Integrations for On-Prem

Internal Integrations

Since S4E On-Prem runs inside your network, you can integrate with internal services directly:

  • Internal SMTP server for email notifications
  • Self-hosted Jira or GitLab for ticket creation
  • On-prem Slack or Mattermost for chat notifications
  • Internal SIEM (Splunk, QRadar, Elastic SIEM) for finding ingestion

External Integrations

For SaaS integrations, ensure that the cluster has outbound access to the required endpoints:

  • Slack API (https://hooks.slack.com)
  • Jira Cloud (https://<instance>.atlassian.net)
  • Microsoft Teams (https://outlook.office.com)

Air-gapped environments

In air-gapped deployments, external integrations are not available. Use internal alternatives (self-hosted Mattermost, on-prem Jira, local SMTP) or webhook-based integrations within your network.

Best Practices

  1. Start simple -- begin with notification actions before building complex playbooks.
  2. Test in staging -- validate playbook logic against a staging environment before enabling in production.
  3. Use severity filters -- avoid alert fatigue by configuring actions only for High and Critical findings.
  4. Monitor action queues -- watch the RabbitMQ action queue depth to ensure timely execution.
  5. Review audit trails -- regularly review playbook execution logs for failures and optimization opportunities.