RunbooksDB is included in the license for Runbooks.
Runbooks comprise of a particular methodology; a series of tactics, techniques, and procedures collectively known as TTPs. Runbooks are executed and turned into an engagement tied to a specific client. Once the engagement is finished and submitted, it becomes a report.
The RunbooksDB enables reuse of the pieces that build an engagement to decrease the time spent on authoring and decrease errors when creating the TTPs.
RunbooksDB is found under the Content Library in the main menu:
The RunbooksDB page consists of the following tabs:
- Repositories: A collection of procedures to be reused in which access can be controlled.
- Procedures: A grouping of execution steps that need to be accomplished. For example, if a tactic is persistence and the technique is browser extensions, then a procedure could detail how a hostile browser extension is injected to maintain persistence.
- Techniques: A grouping of procedures. Techniques are added to a tactic for use in an engagement. For example, if a tactic is persistence, a technique could exist for browser extensions.
- Tactics: A grouping of techniques. Tactics are added to a methodology for use in a runbook. This usually represents a type of attack, such as persistence, or a privilege escalation from the MITRE ATT&CK framework. This can also be a logical grouping or structure for techniques.
- Methodologies: A grouping of tactics that are put into a runbook. It contains a title, ID, description, and the series of tactics selected. Tactics can be selected to apply to the methodology when using as a runbook. This is similar to how the MITRE ATT&CK is broken down where the methodology represents the framework for TTPs.
RunbooksDB access is managed by an admin in the Admin Dashboard/Security & User Management/Security/Role Based Access. After selecting the user role, RunbooksDB access is configured under Content Library Permissions/RunbooksDB at the bottom of the page.