Playbooks

Playbooks bundle a case type's default actions, phase structure, custom fields, and icon into a single reusable definition. When a case is created from a playbook, DFIRe seeds it with the playbook's actions and fields so investigators and responders start with a consistent structure.

Default Playbooks

DFIRe ships with a set of pre-made playbooks covering common investigation and incident response scenarios. These are editable — you can adjust them, clone them, or replace them entirely to match your organization's processes.

Creating a Playbook

  1. Go to Settings → Playbooks
  2. Click "New Playbook" to open the designer.
  3. Configure basic settings
    • Name: Display name for the playbook.
    • Description: When to use this playbook.
    • Mode: Investigation or Incident. Incident-mode playbooks surface phases and compliance-timer affordances; investigation-mode playbooks are simpler.
    • Icon: Pick an icon that visually identifies this playbook on case cards, tab headers, and the creation modal. The icon picker offers a curated set of forensics-relevant glyphs.
  4. Define actions and phases

    Actions are the tasks investigators will tick off during a case. For incident-mode playbooks, actions are grouped by phase (Detection & Analysis, Containment, Eradication, Recovery, Post-Incident). Each action has a description and optional runbook attachment.

  5. Add custom fields

    Define additional fields specific to this playbook — e.g., "Reporter Email" for a data breach playbook, or "Malware Family" for a malware analysis playbook.

  6. Save the playbook

    New cases can now be created from this playbook. Existing cases can also be swapped onto it — see Swapping a playbook on an existing case.

GUI and JSON editors

The playbook designer has two editing modes, accessible via the GUI / JSON toggle at the top of the editor:

  • GUI mode — form-based editor for building playbooks step-by-step. Recommended for most edits.
  • JSON mode — raw JSON representation of the playbook. Useful for bulk edits, diffing, version-controlling playbook definitions, or generating playbook drafts with an LLM. Paste a JSON definition, switch back to GUI mode to visually validate, then save.

Switching between modes round-trips through the same data structure, so you can iterate in GUI mode, flip to JSON to copy a definition elsewhere, and flip back without losing changes.

When generating a playbook with an LLM, ask for strict JSON output matching the structure you see in JSON mode. DFIRe validates the structure on save and surfaces any schema errors inline.

Swapping a playbook on an existing case

Cases are not locked to the playbook they were created from. If investigation direction changes — for example, what looked like a phishing incident turns out to be a broader compromise — you can swap the case onto a different playbook without losing progress.

How to swap

  1. Open the case and go to Case → Change Playbook.
  2. Select the new playbook.
  3. Choose a merge mode:
    • Merge (default): adds the new playbook's actions and custom fields alongside the existing ones. Existing action progress (done, started, skipped) is preserved.
    • Replace: replaces unstarted actions with the new playbook's actions. Completed and skipped actions are kept for audit; started actions are preserved.
  4. Confirm. A PLAYBOOK_CHANGED timeline event is written so the switch is visible in the case history.

Swapping is reversible — you can swap back to the original playbook, or onto a third. Each swap produces its own timeline event.

Custom Fields

Custom fields capture playbook-specific information on each case. Available field types:

Field Type Description
Text Single-line text input
Text Area Multi-line text
Number Numeric values
Date Date picker
Select Dropdown with predefined options
Multi-Select Multiple choice selection
Checkbox Boolean true/false

Field Properties

  • Label: Display name
  • Required: Must be filled when creating a case
  • Default Value: Pre-populated value
  • Help Text: Guidance for users

Actions and seeding

Actions defined on a playbook act as a template. When a case is created from the playbook, DFIRe copies the action list onto the new case. From that point on, the case's actions and the playbook's actions are independent — editing a playbook does not retroactively change existing cases. Per-case action edits happen on the case itself (Actions tab), not on the playbook.

This keeps historical cases stable while letting you evolve playbooks over time.

Best Practices

  • Start from a default playbook and customize rather than building from scratch.
  • Don't proliferate playbooks — use custom fields to capture variation instead of cloning.
  • Keep action phrasing consistent across playbooks so team members build muscle memory.
  • Version-control playbook JSON exports if multiple people edit playbooks — useful for rollback.
  • Document when each playbook should be used in its description so responders pick the right one under pressure.