Threat Hunting Playbook

  • Release version: Australia
  • Updated May 20, 2026
  • 2 minutes to read

    • The Threat Hunting playbook is a guided workflow for a TISC Case record that helps analysts move a threat hunt from an initial hypothesis to a final outcome.

    You can view and manage the playbook executions in the Playbooks tab of the Case record. The Threat Hunting playbook runs once per Case. After the playbook reaches completion, you can't run it on the same Case. You can add the playbook again for cancelled executions.

    Workflow stages

    1. Intake — Capture the hunt hypothesis and link related entities.
    2. Triage — The case owner reviews the hunt hypothesis from Intake and decides whether to proceed with the hunt or cancel it.
    3. Scoping — Select MITRE TTPs, define hunt scenarios, and create hunt tasks for analysts.
    4. Hunt — Analysts record findings; case-task status is tracked here.
    5. Review Outcomes — Review aggregated findings, recommendations, and closure summary.
    6. Post Hunt — Create a Security Incident or a report and complete the playbook.

    How the playbook is initiated

    The playbook is initiated automatically when a Case is created with the following values:

    • Case Type: Threat Hunting
    • Status: Draft

    A system work note on the Case record indicates that the playbook has been initiated. Open the Playbooks tab on the Case record to view execution details.

    Important:
    The Threat Hunting Playbook is shipped in a deactivated state. Before the auto-initiation takes effect, an administrator must activate the playbook. For details, see Activate the Threat Hunting Playbook.

    You can also attach the playbook manually to a Case that does not meet the auto-trigger conditions. For details, see Add the Threat Hunting Playbook to a Case.

    Roles and permissions

    Any user with access to a Case record can read playbook details and contribute information at each stage. The case owner (the user in the Assigned to field) is the decision-maker for approvals and stage transitions.

    Table 1. Stage actions and required role
    Action Who can do it
    Update the hunt hypothesis, scenarios, or findings Any user with access to the Case record.
    Approve or reject the hypothesis (Triage) Case owner only.
    Approve or reject hunt scenarios (Scoping) Case owner only.
    Transition between stages Case owner only.
    Create a Security Incident (Post Hunt) Users with create access on the Security Incident table. If the user does not have this access, the Create Security Incident action is not displayed.

    Playbook card in the context menu

    While you work on other tabs of the Case record, you can monitor playbook status and cancel the playbook from the Playbook card in the right-side context menu.