Configuring Interventions
      Back to home
      1. Knowledge Base
      2. Configuring Interventions
      3. Configuring Interventions

      Creating and Managing Playbooks

      What are Playbooks?


      Playbooks allow you to automatically respond to human risk detections with targeted interventions — whether that’s nudging a user, raising a ticket, or sending an alert to your SIEM or ITSM tool. Playbooks are flexible, easy to configure, and designed to help security teams act fast when risky behaviour is detected.

      A Playbook defines:

      • When to trigger an intervention (e.g. when a weak password is detected)

      • Who it applies to (target audience or user group)

      • What should happen (the intervention)

      You can configure different playbooks for different risks — and ensure a targeted automated response to the right users, at the right moment.

      How to Use Playbooks

      Accessing Playbooks

      There are two ways to configure playbooks:

      • From the Interventions page:
        Navigate to the “Intervene” tab in the left-hand navigation menu to view and manage all existing playbooks.

      • From an individual Risk Page:
        Open any risk (e.g. Weak Password) and click on the 'Intervene' tab to view and manage playbooks related to that specific risk.

      Viewing and Creating Playbooks

      • Existing playbooks are shown in a table, including status, trigger, audience, and interventions.

      • To edit an existing playbook, click the Configure button.

      • To create a new playbook, click New Playbook.

      Using the Configuration Wizard

      When creating or editing a playbook, a slide-out wizard opens — this is where you configure the playbook step by step.

      Step 1: Name Your Playbook

      • Give your playbook a clear, descriptive name.

      • Default text: “My new playbook”

      • The name must be unique — you’ll be notified if the name is already in use.

      Example: “Employee notification for weak passwords (every occurrence)”


      Step 2: Select a Trigger

      • The trigger is the event that causes the playbook to run.

      • Choose from the list of supported risk types (e.g. Weak Password Detected).

      • You can only select one trigger per playbook.

      Example: You want to trigger a playbook every time a user is detected using a weak  password.

      Step 3: Define the Audience

      • Choose which users or groups the playbook should apply to.

      • You can select from:

        • Smart Groups (dynamic, based on attributes)

        • Manual Groups (static user lists)

      • The number of matching users is shown automatically.

      Example: You only want to target users in your engineering department.

      Step 4: Set Conditions (Optional)

      • Add occurrence-based conditions to control when the playbook runs.

      • You can trigger a playbook on or after a specific number of times a risk has been detected.

      Example: You might only want to notify a user if they’ve reused a password more than twice.

      💡 Coming soon: You’ll also be able to add conditions based on risk metadata (e.g. domain, device, app).

      Step 5: Configure the Intervention

      • Choose one or more interventions to run when the playbook is triggered by clicking the plus icon.

      • Interventions are grouped by type and include:

        • Slack or Teams nudges

        • In-browser banners

        • Just-in-time training

        • Email notifications

        • Webhooks or Jira/ServiceNow tickets

      Note: Some interventions are only available for specific risk types
      e.g. Slack nudges are only available for risks detected in Slack environments.

      • You can configure each intervention’s settings and send yourself a preview where available.

      Example: Configuring an Intervention to Send Employee Notification

      Personalising Interventions with Merge Tags

      When configuring an intervention, you can use merge tags to personalise the content based on the specific risk event or the employee involved.

      Merge tags let you dynamically insert values such as:

      • The affected employee’s first name

      • The type of risk detected

      • The app or domain where the risk occurred

      • The date of the event

      Saving Your Playbook

      • The Save button becomes active once all required fields are completed.

      • If you click Cancel, you'll be prompted to confirm before discarding any unsaved changes.

      • Once saved, your playbook will run automatically when its trigger conditions are met.

      Editing Existing Playbooks

      • Playbooks can be edited from the Intervene tab or risk pages.

      • Existing values are pre-filled in the configuration wizard.

      • The Save button is only enabled if changes are made.

      Need Help?

      If you run into issues or want help designing your intervention logic, reach out to our team at success@culture.ai.