Runbook Automation
Define automated incident response workflows that trigger on attack detection
Overview
Runbooks are automated workflows that execute when specific conditions are met during an attack. Instead of manually responding to each incident, you define the response once and Flowtriq executes it every time.
Creating a Runbook
Go to Dashboard → Runbooks and click Create Runbook.
Trigger Conditions
Define when the runbook should fire:
| Condition | Options |
|---|---|
| Minimum severity | Any, Low, Medium, High, Critical |
| Minimum PPS | Numeric threshold (e.g. 50000) |
| Attack family | UDP flood, SYN flood, HTTP flood, ICMP flood, DNS flood, Multi-vector, or Any |
| Nodes | All nodes, or specific nodes |
Action Steps
Each runbook contains one or more action steps executed in order:
- Send notification: Fire an alert to a specific channel (Discord, Slack, PagerDuty, etc.)
- Queue mitigation rules: Apply iptables, nftables, or other firewall rules to the affected node
- Execute webhook: POST attack context as JSON to a custom HTTP endpoint
- Update incident status: Auto-resolve or escalate the incident
- Add note: Append a comment to the incident timeline
Example: Auto-Mitigate UDP Floods
# Runbook: "UDP Flood Auto-Response"
Trigger: attack_family = udp_flood AND severity >= medium
Steps:
1. Queue mitigation: iptables rate-limit UDP (hashlimit 50/sec per source)
2. Send notification: #incidents Slack channel
3. Add note: "Auto-mitigation applied: UDP rate limit"
Execution History
Every runbook execution is logged with the trigger event, steps executed, success/failure status, and timestamp. View history from the runbook detail page or the incident timeline.
Tip: Start with notifications-only runbooks to validate your trigger conditions before adding mitigation actions. Once you trust the triggers, add firewall rules.