[object Object]

Security Operations on the Now Platform makes runbook automation easy. Making it auditable is the harder half. The pattern that gets through both your CISO and your external assessor has three properties most homegrown playbooks skip.

Property one: deterministic preconditions

Every automated action must start with a guard that proves the precondition was met. Not “the user has the role” — proven at the moment of execution.

// Inside a Flow Action
if (!gs.hasRole('sn_si.analyst')) {
  throw new Error('SOAR action invoked without analyst role');
}
if (current.severity != 1) {
  throw new Error('Auto-isolate only allowed on severity 1');
}

The exception ends up in syslog, which is what your auditor will sample.

Property two: every change is reversible by design

For every automated action that mutates state — disabling a user, isolating a host, blocking an IP — pair it with a stored rollback step that captures the prior state.

Action: Disable User
  Before: capture user.active, user.locked_out into work_notes
  After: write rollback Script Action reference into security_incident.work_notes

The rollback script lives in the same scoped app and is one click from the analyst’s view.

Property three: human in the loop above a threshold

Define explicit dollar or impact thresholds that escalate from auto-action to assisted-action. The platform’s sn_si_response_task pattern supports this — use it.

Severity 4: auto-isolate, notify
Severity 3: auto-isolate, page analyst
Severity 2: assisted (analyst clicks isolate)
Severity 1: assisted plus manager approval

Attempting to fully automate severity-1 response will end your career.

The audit log is the deliverable

Every automated action should write a structured audit row. Use a dedicated table — u_secops_automation_log — not work notes. Include: action name, target sys_id, precondition snapshot, executor, result, rollback reference. Auditors will pull this single table.

Test the rollback, not just the action

In your monthly tabletop, the exercise is “the runbook fired in error — restore service.” If the team cannot demo the rollback in five minutes, the rollback is not real.

What to do this week

Pick your three most-fired SecOps runbooks. Confirm each has a precondition guard, a rollback path, and writes to the automation log. Anywhere any of these are missing, file a hardening ticket before you add a new automation.

[object Object]
Share