Using playbooks

  • Release version: Zurich
  • Updated June 5, 2026
  • 2 minutes to read
    • Summarize
    Summarized using AI
    This content was generated using new OpenAI-powered functionality. Results are provided on an as is basis and are not guaranteed to be accurate or complete.

    Summary of Using playbooks

    Playbooks in Threat Intelligence Security Center (TISC) provide a structured, step-by-step workflow for threat investigation cases. They guide analysts through predefined stages, ensuring all necessary actions are completed before advancing to the next phase. Playbooks automatically start when a Case record with the correct type and status is created, and the current progress is visible in the Playbooks tab of the Case record.

    Show full answer Show less

    How Playbooks Work

    • Playbooks progress through a fixed sequence of stages, each containing required activities such as data entry, task completion, or approvals.
    • All activities in a stage must be completed before the case owner can move the playbook to the next stage.
    • The Playbooks tab displays the active stage, pending activities, and marks completed stages for easy progress tracking.

    Analyst Contributions and Case Ownership

    • Any analyst with access to a Case record can view playbook details and contribute by recording findings, linking entities, selecting MITRE ATT&CK techniques, and completing tasks.
    • Stage transitions and approval decisions are controlled by the case owner (the user assigned in the Assigned to field).
    • Non-owners should complete assigned activities and notify the case owner when ready to advance stages.

    Monitoring and Managing Playbooks

    • The Playbook card in the Case record’s right-side context menu shows the current stage and allows cancelling the playbook if necessary.
    • Work notes automatically record key playbook events such as start, stage transitions, and completion for audit and tracking.
    • Each playbook runs once per Case; after completion, it cannot be rerun on the same Case unless a previous execution was cancelled, in which case it can be manually re-added by the case owner or administrator.

    Playbook Completion and Outcomes

    • Upon completing the final stage, analysts typically create a security incident or report documenting the investigation outcome.
    • Creating a security incident requires appropriate create access on the Security Incident table; if access is lacking, this option will not appear in the playbook.

    Threat Hunting Playbook

    The Threat Hunting playbook is a specific guided workflow designed to help analysts progress a threat hunt from hypothesis to final outcome within a TISC Case record. It supports systematic investigation and documentation, enhancing case management and response efficiency.

    Playbooks in Threat Intelligence Security Center guide analysts through structured threat investigation stages. Each stage defines the actions to complete before the case advances to the next phase of the response process.

    When a Case record is created in Threat Intelligence Security Center with the appropriate Case type and status, a playbook starts automatically. The playbook appears in the Playbooks tab of the Case record and shows the current stage, pending activities, and overall progress. The Threat Hunting playbook runs once per Case. After the playbook reaches completion, you can't run it on the same Case. You can add the playbook again for cancelled executions.

    How stages work

    A playbook moves through a fixed sequence of stages. Each stage contains activities — such as entering data, completing tasks, or waiting for an approval. You must complete all required activities in a stage before the case owner can advance the playbook to the next stage.

    The Playbooks tab shows which stage is active and what activities remain. The playbook marks completed stages so you can track progress at a glance.

    Analyst contributions

    Any analyst with access to a Case record can read playbook details and contribute information at each stage. Typical analyst activities include recording findings, linking related entities, selecting MITRE ATT&CK techniques, and completing case tasks.

    Stage transitions and approval decisions are made by the case owner — the user in the Assigned to field. If you aren't the case owner, complete your assigned activities and notify the case owner when the stage is ready to advance.

    Monitoring playbook status

    While you work on other tabs of the Case record, you can monitor playbook status from the Playbook card in the right-side context menu. The card shows the current stage and lets you cancel the playbook if needed.

    The system adds a work note to the Case record when the playbook starts. Check the work notes for a record of key playbook events, including stage transitions and completion.

    Playbook completion

    A playbook runs once per Case. After it reaches completion, it can't run again on the same Case. If a playbook execution is cancelled, the case owner or an administrator can attach the playbook again manually.

    At the final stage, analysts typically create a security incident or a report to document the outcome. This action requires create access on the Security Incident table. If you don't have this access, the playbook does not display the option.