Add the Threat Hunting Playbook to a Case

  • Release version: Australia
  • Updated May 20, 2026
  • 1 minute to read

    • If a Case does not meet the auto-trigger conditions for the Threat Hunting playbook, you can attach the playbook to the Case manually.

    Before you begin

    Role required: sn_sec_tisc.analyst

    The Case must be open. You can't add the Threat Hunting playbook to a closed Case.

    About this task

    Use this procedure when the Threat Hunting playbook doesn't auto-trigger but you still want to run a threat hunt. For example, you want to run it when the Case Type is not Threat Hunting.

    Procedure

    1. Navigate to Workspaces > Threat Intelligence Security Center.
    2. Select the Threat Analyst Workbench icon.
    3. Go to Case Management > All Cases.
      All the cases are displayed.
    4. Open a Case record and select More actions > Add Playbook.
    5. Select Threat Hunting from the list of available playbooks.
    6. Review the confirmation dialog and confirm the addition.
      Important:
      Adding a playbook can result in repetition of the activities completed on the Case, for example, MITRE techniques associated or scenarios entered.

    Result

    The Threat Hunt Playbook is attached to the Case and initiates the Intake stage. For details on each stage, see Use the Threat Hunting Playbook.