SOAR Playbooks (SoI‑Aligned)

Operational runbooks for rapid detection and automated response, tailored to each Sphere of Influence—Private, Social, and Public. Each playbook follows zero‑trust principles: verify explicitly, enforce least privilege, protect data by design.

Zero Trust by contextAutomation with approvalsThreat‑informed

Overview

Event → Playbook matrix

Map common detections to their SoI‑specific response automation.

Detection	Private	Social	Public
Credential compromise / impossible travel	Lock account, revoke tokens, device quarantine	Suspend guest, isolate session, owner notified	N/A (anonymous) — rate-limit abuse, block IP ASN
Mass download / exfil attempt	Throttle, watermark, DLP block, start egress capture	Pause share, watermark, require owner approval	Bot flag, require step-up for writes, CDN shield
Data mis-share (wrong audience)	Auto revoke, rotate link, notify record owners	Recall + expire links, tenant audit, attest identity	Takedown pipeline if published
Bot/abuse surge	N/A	N/A	WAF rules, bot mgmt, challenge pages, community queue

Private SoI

Playbook: Suspected credential compromise

Triggered by impossible travel, atypical MFA patterns, or session anomaly risk ≥ threshold in Private SoI.

Objective

Private SoIMTTD ≤ 2mMTTR ≤ 15m

Containment

Revoke tokens, force sign‑out, kill active sessions, disable new device enrollments.

Forensics

Snapshot session metadata, preserve logs, export to SIEM, tag case ID.

Comms

Notify user + manager, open incident in ticketing, post #security channel.

Auto-contain account

Disable refresh tokens; revoke OAuth grants.
Rotate app secrets for high‑risk scopes.
Quarantine managed device if EDR risk ≥ medium.

Risk‑based step‑up

Require passkey re‑auth and phishing‑resistant MFA.
Block legacy protocols; enforce mTLS.

Evidence capture

Export auth logs, IPs, user agent, geo.
Hash + store artifacts; link to case.

Human approval gates

Security reviewer confirms identity re‑proof.
Re‑enable account; monitor 24h with heightened alerts.

Post‑incident actions

Rotate long‑lived credentials.
Update detections if gap identified.
Close with root cause + lessons learned.

Public SoI

Playbook: Bot / abuse surge

Triggered by sudden spikes, credential stuffing signatures, or malicious user‑generated content.

Objective

Public SoIMTTD ≤ 1mMTTR ≤ 10m

Edge defenses

Tighten WAF rules, enable challenge pages, block abusive ASNs, raise rate limits.

Detection tuning

Feed threat intel; fingerprint bot patterns; protect write endpoints with step‑up.

Community ops

Queue moderation; auto‑takedown defacements with approval trail.

Mitigate at the edge

Enable CDN shield; escalate bot score threshold.
Block Tor/known bad IP ranges temporarily.

Protect data & privacy

Minimize logging of PII; honor regional consent signals.
Rotate public API keys; enforce per‑IP quotas.

Content moderation

Auto‑takedown defaced pages with rollback.
Escalate to human review for borderline content.

After‑action

Share indicators with partners; update WAF/bot rules.
Report metrics and document lessons learned.

Operations

Governance, approvals, and metrics

All automation is gated by human approvals where appropriate and logged immutably.

Approval gates

Risk‑tiered actions: Contain (auto), Restrict (1 approver), Disable (2 approvers).
Owner‑in‑the‑loop for Social shares; SOC duty officer for Private actions.
All approvals recorded with signer identity and timestamp.

Core metrics

MTTDMTTRContainment TimeFalse Positive RateUser ImpactedData at Risk

Get started

Automate your SoI‑aware security response

Wire these playbooks to your SIEM, IdP, EDR, and CDN. We provide adapters and reference policies for rapid deployment.

Talk to an expert Download reference YAML Download reference JSON

Solutions

Industries

Resources

About

XRDNA, MoE, Map of Everything, eVa, Sphere of Influence, and Neural Voyager are all registered trademarks for XRDNA Inc
2025 XRDNA, Inc. All Rights Reserved.

SOAR Playbooks (SoI‑Aligned)

Zero Trust by contextAutomation with approvalsThreat‑informed

Overview

Event → Playbook matrix

Map common detections to their SoI‑specific response automation.

Detection	Private	Social	Public
Credential compromise / impossible travel	Lock account, revoke tokens, device quarantine	Suspend guest, isolate session, owner notified	N/A (anonymous) — rate-limit abuse, block IP ASN
Mass download / exfil attempt	Throttle, watermark, DLP block, start egress capture	Pause share, watermark, require owner approval	Bot flag, require step-up for writes, CDN shield
Data mis-share (wrong audience)	Auto revoke, rotate link, notify record owners	Recall + expire links, tenant audit, attest identity	Takedown pipeline if published
Bot/abuse surge	N/A	N/A	WAF rules, bot mgmt, challenge pages, community queue

Private SoI

Playbook: Suspected credential compromise

Triggered by impossible travel, atypical MFA patterns, or session anomaly risk ≥ threshold in Private SoI.

Objective

Private SoIMTTD ≤ 2mMTTR ≤ 15m

Containment

Revoke tokens, force sign‑out, kill active sessions, disable new device enrollments.

Forensics

Snapshot session metadata, preserve logs, export to SIEM, tag case ID.

Comms

Notify user + manager, open incident in ticketing, post #security channel.

Auto-contain account

Disable refresh tokens; revoke OAuth grants.
Rotate app secrets for high‑risk scopes.
Quarantine managed device if EDR risk ≥ medium.

Risk‑based step‑up

Require passkey re‑auth and phishing‑resistant MFA.
Block legacy protocols; enforce mTLS.

Evidence capture

Export auth logs, IPs, user agent, geo.
Hash + store artifacts; link to case.

Human approval gates

Security reviewer confirms identity re‑proof.
Re‑enable account; monitor 24h with heightened alerts.

Post‑incident actions

Rotate long‑lived credentials.
Update detections if gap identified.
Close with root cause + lessons learned.

Public SoI

Playbook: Bot / abuse surge

Triggered by sudden spikes, credential stuffing signatures, or malicious user‑generated content.

Objective

Public SoIMTTD ≤ 1mMTTR ≤ 10m

Edge defenses

Tighten WAF rules, enable challenge pages, block abusive ASNs, raise rate limits.

Detection tuning

Feed threat intel; fingerprint bot patterns; protect write endpoints with step‑up.

Community ops

Queue moderation; auto‑takedown defacements with approval trail.

Mitigate at the edge

Enable CDN shield; escalate bot score threshold.
Block Tor/known bad IP ranges temporarily.

Protect data & privacy

Minimize logging of PII; honor regional consent signals.
Rotate public API keys; enforce per‑IP quotas.

Content moderation

Auto‑takedown defaced pages with rollback.
Escalate to human review for borderline content.

After‑action

Share indicators with partners; update WAF/bot rules.
Report metrics and document lessons learned.

Operations

Governance, approvals, and metrics

All automation is gated by human approvals where appropriate and logged immutably.

Approval gates

Risk‑tiered actions: Contain (auto), Restrict (1 approver), Disable (2 approvers).
Owner‑in‑the‑loop for Social shares; SOC duty officer for Private actions.
All approvals recorded with signer identity and timestamp.

Core metrics

MTTDMTTRContainment TimeFalse Positive RateUser ImpactedData at Risk

Get started

Automate your SoI‑aware security response

Wire these playbooks to your SIEM, IdP, EDR, and CDN. We provide adapters and reference policies for rapid deployment.

Talk to an expert Download reference YAML Download reference JSON

Solutions

Industries

Resources

About

Event → Playbook matrix

Playbook: Suspected credential compromise

Playbook: Suspicious mass download / exfil

Playbook: Bot / abuse surge

Governance, approvals, and metrics

Automate your SoI‑aware security response

Event → Playbook matrix

Playbook: Suspected credential compromise

Playbook: Suspicious mass download / exfil

Playbook: Bot / abuse surge

Governance, approvals, and metrics

Automate your SoI‑aware security response