You can invoke the security incident playbook flow automatically or manually.

A Playbook is visible only if at least one playbook is associated with a security incident. The playbook component works only for the Process Automation Designer (PAD) built processes and not for the flow designer-built flows. For the existing flow designer enabled flows, it will continue to work, and the activities will be continuing to be rendered as response tasks.

In addition to the listed playbooks, there are also subflows in Security Operations Spoke that can be called from the flows playbook. Ransomware is one of that subflows.

Activate these flows before you use them. For more information, see Activate a Security Incident Response flow.