Playbooks in Threat Intelligence Security Center guide analysts through structured threat investigation stages. Each stage defines the actions to complete before the case advances to the next phase of the response process.

When a Case record is created in Threat Intelligence Security Center with the appropriate Case type and status, a playbook starts automatically. The playbook appears in the Playbooks tab of the Case record and shows the current stage, pending activities, and overall progress. The Threat Hunting playbook runs once per Case. After the playbook reaches completion, you can't run it on the same Case. You can add the playbook again for cancelled executions.

How stages work

A playbook moves through a fixed sequence of stages. Each stage contains activities — such as entering data, completing tasks, or waiting for an approval. You must complete all required activities in a stage before the case owner can advance the playbook to the next stage.

The Playbooks tab shows which stage is active and what activities remain. The playbook marks completed stages so you can track progress at a glance.

Analyst contributions

Any analyst with access to a Case record can read playbook details and contribute information at each stage. Typical analyst activities include recording findings, linking related entities, selecting MITRE ATT&CK techniques, and completing case tasks.

Stage transitions and approval decisions are made by the case owner — the user in the Assigned to field. If you aren't the case owner, complete your assigned activities and notify the case owner when the stage is ready to advance.

Monitoring playbook status

While you work on other tabs of the Case record, you can monitor playbook status from the Playbook card in the right-side context menu. The card shows the current stage and lets you cancel the playbook if needed.

The system adds a work note to the Case record when the playbook starts. Check the work notes for a record of key playbook events, including stage transitions and completion.

Playbook completion

A playbook runs once per Case. After it reaches completion, it can't run again on the same Case. If a playbook execution is cancelled, the case owner or an administrator can attach the playbook again manually.

At the final stage, analysts typically create a security incident or a report to document the outcome. This action requires create access on the Security Incident table. If you don't have this access, the playbook does not display the option.