Playbook distribution
S4E playbooks are structured remediation guides that map specific findings to actionable resolution steps. Partners can create, customize, and distribute playbooks across their customer tenants to standardize remediation practices.
What Is a Playbook?
A playbook is a reusable document that contains:
- Finding match criteria -- the vulnerability types, severity levels, or specific CVEs the playbook applies to.
- Remediation steps -- ordered instructions for resolving the finding.
- Verification steps -- instructions for confirming that the remediation was successful.
- Metadata -- author, version, last updated date, and applicable technology stack.
When a scan produces findings that match a playbook's criteria, the playbook is automatically linked to those findings in the customer's dashboard.
Partner Playbook Library
Partners maintain a centralized playbook library at the partner level. This library serves as the source of truth for playbooks distributed to customer tenants.
Accessing the Library
- Navigate to Playbooks > Library in the Partner Portal.
- The library displays all playbooks you have created or imported.
Playbook Sources
| Source | Description |
|---|---|
| S4E Built-in | Pre-built playbooks maintained by S4E covering common vulnerabilities (e.g., SQL injection, XSS, TLS misconfiguration). |
| Partner-created | Custom playbooks authored by your team for specific technologies or client environments. |
| Imported | Playbooks imported from external sources via JSON or YAML format. |
Built-in playbooks
S4E built-in playbooks are read-only but can be cloned and customized. Cloned playbooks become partner-created and can be modified freely.
Creating a Playbook
- Navigate to Playbooks > Library.
- Click Create Playbook.
- Fill in the playbook details:
| Field | Description |
|---|---|
| Title | Descriptive name (e.g., "Remediate TLS 1.0/1.1 on Apache"). |
| Finding Match | Select finding types, severity, or specific CVE IDs this playbook addresses. |
| Technology | Applicable technology stack (e.g., Apache, Nginx, AWS, Azure). |
| Severity | The severity of findings this playbook targets. |
| Remediation Steps | Ordered list of resolution instructions. Supports Markdown formatting. |
| Verification Steps | Instructions to confirm the fix was applied. |
| References | Links to external documentation, vendor advisories, or knowledge base articles. |
| Tags | Searchable tags for organization (e.g., "web-server", "encryption", "compliance"). |
- Click Save to add the playbook to your library.
Distributing Playbooks
Distribution pushes playbooks from your partner library to one or more customer tenants.
Distribute to Specific Customers
- Open the playbook in Playbooks > Library.
- Click Distribute.
- Select the target customer tenants from the list or choose a customer group.
- Choose the distribution mode:
| Mode | Description |
|---|---|
| Push | Sends the current version of the playbook to the selected tenants. Future updates must be re-pushed manually. |
| Sync | Links the playbook to the selected tenants. When you update the playbook in the library, changes are automatically propagated to all synced tenants. |
- Click Distribute.
Distribute to All Customers
- Open the playbook in Playbooks > Library.
- Click Distribute > All Customers.
- Choose Push or Sync mode.
- Confirm the action.
Use Sync mode
For playbooks that you actively maintain and update, use Sync mode. This ensures all customers always have the latest version without requiring manual re-distribution.
Managing Distributed Playbooks
Viewing Distribution Status
Navigate to Playbooks > Distribution to see:
- Which playbooks have been distributed to which customers.
- Distribution mode (Push or Sync) for each assignment.
- Version status (up-to-date or outdated for Push-mode distributions).
- Linked findings count per customer.
Updating a Synced Playbook
- Edit the playbook in Playbooks > Library.
- Save the changes.
- All Sync-mode distributions are updated automatically within minutes.
- An update notification is generated in affected customer dashboards.
Revoking a Distribution
- Navigate to Playbooks > Distribution.
- Select the playbook and customer.
- Click Revoke.
- The playbook is removed from the customer tenant. Existing findings that referenced the playbook retain the remediation history but the playbook link is removed.
Customer-Side Experience
When a distributed playbook matches findings in a customer tenant:
- The finding detail page displays a Remediation Playbook section with the linked playbook.
- Customer users (if portal access is enabled) can view the remediation and verification steps.
- Analysts and customer admins can mark remediation steps as completed, creating a tracked remediation workflow.
Visibility
Distributed playbooks are visible to customer-side users if customer portal access is enabled with read or full access. If your playbooks contain partner-confidential information, sanitize them before distribution or restrict customer portal access to read-only.
Playbook Analytics
Track playbook effectiveness under Playbooks > Analytics:
| Metric | Description |
|---|---|
| Distribution count | Number of customers receiving each playbook. |
| Match rate | Percentage of findings that have a matching playbook. |
| Remediation rate | Percentage of playbook-linked findings that were resolved. |
| Mean time to remediate | Average time from finding detection to resolution for playbook-linked findings. |
| Top unmatched findings | Finding types without a matching playbook, highlighting gaps in your library. |
Use these analytics to identify which playbooks are most effective and where new playbooks are needed.
Best Practices
- Start with S4E built-in playbooks and customize them for your customer base.
- Use Sync mode for actively maintained playbooks to reduce distribution overhead.
- Tag playbooks consistently for easy searching and filtering.
- Review playbook analytics monthly to identify gaps and improve remediation rates.
- Version your playbooks by noting the version number in the metadata; this helps with change tracking and customer communication.