Using playbooks

  • Release version: Australia
  • Updated June 5, 2026
  • 2 minutes to read
    • Summarize
    Summarized using AI
    This content was generated using new OpenAI-powered functionality. Results are provided on an as is basis and are not guaranteed to be accurate or complete.

    Summary of Using Playbooks

    Playbooks in the Threat Intelligence Security Center (TISC) provide analysts with a structured workflow to guide threat investigations through defined stages. Each stage requires completion of specific activities before progressing, ensuring a thorough and consistent response process. Playbooks automatically start when a Case record with the appropriate type and status is created and are visible under the Playbooks tab of the Case record.

    Show full answer Show less

    How Playbooks Work

    • Playbooks advance through a fixed sequence of stages, each containing activities such as data entry, task completion, or approvals.
    • All required activities in a stage must be completed before the case owner can move the playbook to the next stage.
    • The Playbooks tab tracks the current stage, pending activities, and overall progress, marking completed stages for easy monitoring.
    • The Threat Hunting playbook runs once per Case and cannot be rerun unless a previous execution was cancelled, in which case it can be manually reattached.

    Analyst Collaboration and Roles

    • Any analyst with access to the Case can view playbook details and contribute by recording findings, linking entities, selecting MITRE ATT&CK techniques, and completing tasks.
    • Only the case owner (user in the Assigned to field) can approve stage transitions and advance the playbook.
    • Non-owners should complete assigned tasks and notify the case owner when ready to progress.

    Monitoring and Managing Playbooks

    • Playbook status can be monitored from the Playbook card in the Case’s right-side context menu, showing the current stage and providing an option to cancel the playbook if necessary.
    • Key events such as playbook start, stage transitions, and completion are logged as work notes on the Case record.
    • After completion, a playbook cannot be rerun on the same Case unless it was cancelled and manually reattached.

    Finalizing Investigations

    At the final stage, analysts typically create a security incident or generate a report to document results. This requires “create” access on the Security Incident table; without this access, the option will not appear in the playbook.

    Practical Benefits for ServiceNow Customers

    • Ensures consistent and comprehensive threat investigation workflows.
    • Facilitates collaboration among analysts with clear role definitions and responsibilities.
    • Provides visibility into progress and status through integrated tracking and notifications.
    • Supports integration with security incident management for effective incident response documentation.

    Playbooks in Threat Intelligence Security Center guide analysts through structured threat investigation stages. Each stage defines the actions to complete before the case advances to the next phase of the response process.

    When a Case record is created in Threat Intelligence Security Center with the appropriate Case type and status, a playbook starts automatically. The playbook appears in the Playbooks tab of the Case record and shows the current stage, pending activities, and overall progress. The Threat Hunting playbook runs once per Case. After the playbook reaches completion, you can't run it on the same Case. You can add the playbook again for cancelled executions.

    How stages work

    A playbook moves through a fixed sequence of stages. Each stage contains activities — such as entering data, completing tasks, or waiting for an approval. You must complete all required activities in a stage before the case owner can advance the playbook to the next stage.

    The Playbooks tab shows which stage is active and what activities remain. The playbook marks completed stages so you can track progress at a glance.

    Analyst contributions

    Any analyst with access to a Case record can read playbook details and contribute information at each stage. Typical analyst activities include recording findings, linking related entities, selecting MITRE ATT&CK techniques, and completing case tasks.

    Stage transitions and approval decisions are made by the case owner — the user in the Assigned to field. If you aren't the case owner, complete your assigned activities and notify the case owner when the stage is ready to advance.

    Monitoring playbook status

    While you work on other tabs of the Case record, you can monitor playbook status from the Playbook card in the right-side context menu. The card shows the current stage and lets you cancel the playbook if needed.

    The system adds a work note to the Case record when the playbook starts. Check the work notes for a record of key playbook events, including stage transitions and completion.

    Playbook completion

    A playbook runs once per Case. After it reaches completion, it can't run again on the same Case. If a playbook execution is cancelled, the case owner or an administrator can attach the playbook again manually.

    At the final stage, analysts typically create a security incident or a report to document the outcome. This action requires create access on the Security Incident table. If you don't have this access, the playbook does not display the option.