Playbook Servers
and Playbook Workers

Improving Quality of Service for ThreatConnect Playbooks Users

ThreatConnect users have been leveraging Playbooks to handle the automation of decision-making for some time, but as the use cases requiring complex orchestration with multiple workflows increase, so must the engine driving the technology. To handle Playbooks being run across multiple teams with varying priorities, we leverage Playbook Servers and Playbook Workers.

Playbook Servers

A Playbook Server is purpose-built for the execution of Playbooks. Multiple Playbook Servers can be deployed to scale capacity, enable high availability (HA), or isolate resources. Benefits of Playbook Servers include:

  • Horizontal Scaling: Playbook Servers enable horizontal scaling of Playbook execution capacity. Playbooks execute in real time, so more Playbooks can mean a larger queue. Increasing Playbook Servers means more hardware capacity to consume pending executions from that queue.
  • High Availability: Enable high availability (HA) simply by deploying multiple Playbook Servers. If at any point a Playbook Server crashes or gets into an unreliable state, the remaining servers in the pool take over execution responsibilities.
  • Resource Allocation: Improve Quality of Service by allocating Private Servers to specific Organizations, for example you might have a Server dedicated to Incident Response Playbooks and another dedicated to Threat Intel Playbooks. Organizations can direct Playbook Executions to a Private Server to ensure availability and responsiveness.

Figure 1: Specify which Playbooks run on which Playbook Server to ensure the right Playbooks get the resources they need.

Playbook Workers

Taking it one step further, everytime a Playbook is run, it’s carried out by a Playbook Worker.  A Playbook Worker executes one Playbook at a time. The number of Playbook Workers determine the number of Playbooks that can be executed concurrently. If the number of Playbooks requiring execution surpass the number of available Playbook Workers, then those Playbooks are queued and executed from the queue in in priority order by the next available Playbook Worker. As seen in Figure 2, Playbook Workers provide increased visibility and control into orchestration execution thanks to an easy-to-understand and navigate management console found directly in the ThreatConnect Platform.

For teams that are automating functions and tasks for incident response, threat intelligence, and security operations this can mean dozens, or even hundreds, of Playbooks active in ThreatConnect at the same time. Small queueing is normal and in many instances acceptable for most tasks. Any high priority tasks can be prioritized to execute ahead of the queue as well. However, when queue sizes begin to get longer than desired you can scale your automation and orchestration in ThreatConnect by allocating additional Playbook Workers with either a larger size instance, or supplementing with additional Playbook Servers.

Figure 2: Manage Playbook Workers Directly from the ThreatConnect Platform

Playbook Workers are included in your license of the ThreatConnect Platform for both Dedicated Cloud and On-Premises deployments. Quantities provided are dependent on Package Size purchased.