Threat Hunting Playbook

  • Release version: Zurich
  • Updated May 20, 2026
  • 2 minutes to read
    • Summarize
    Summarized using AI
    This content was generated using new OpenAI-powered functionality. Results are provided on an as is basis and are not guaranteed to be accurate or complete.

    Summary of Threat Hunting Playbook

    The Threat Hunting Playbook is a guided workflow designed for TISC Case records in ServiceNow, helping security analysts systematically progress a threat hunt from initial hypothesis to final resolution. It provides structured stages for managing and documenting the hunt, ensuring consistency and thoroughness throughout the investigation. The playbook executes once per Case and is accessible via the Playbooks tab on the Case record.

    Show full answer Show less

    Workflow Stages

    • Intake: Capture the initial hunt hypothesis and link related entities.
    • Triage: The case owner reviews the hypothesis and decides whether to proceed or cancel the hunt.
    • Scoping: Select relevant MITRE TTPs, define hunt scenarios, and create tasks for analysts.
    • Hunt: Analysts document findings and track task statuses.
    • Review Outcomes: Consolidate findings, recommendations, and closure summary.
    • Post Hunt: Create a Security Incident or generate a report to complete the playbook.

    Playbook Initiation

    The playbook auto-initiates when a Case is created with Case Type set to Threat Hunting and Status set to Draft. A system work note confirms playbook initiation, and execution details appear in the Playbooks tab. Note that the playbook is shipped deactivated by default; administrators must activate it before auto-initiation functions.

    If Cases do not meet auto-trigger conditions, the playbook can be manually attached.

    Roles and Permissions

    • Any user with Case access can view and update the hunt hypothesis, scenarios, and findings.
    • The case owner (assigned user) has exclusive rights to approve or reject stages, transition workflow stages, and make key decisions.
    • Users with create access to the Security Incident table can generate Security Incidents during the Post Hunt stage.

    Practical Usage

    While working on the Case, users can monitor playbook status and cancel executions via the Playbook card in the Case record’s right-side context menu. This enables convenient oversight without navigating away from other Case tabs.

    The playbook supports structured threat hunts by guiding analysts through hypothesis formulation, scenario development, task management, documentation of findings, and formal closure through incident creation or reporting.

    The Threat Hunting playbook is a guided workflow for a TISC Case record that helps analysts move a threat hunt from an initial hypothesis to a final outcome.

    You can view and manage the playbook executions in the Playbooks tab of the Case record. The Threat Hunting playbook runs once per Case. After the playbook reaches completion, you can't run it on the same Case. You can add the playbook again for cancelled executions.

    Workflow stages

    1. Intake — Capture the hunt hypothesis and link related entities.
    2. Triage — The case owner reviews the hunt hypothesis from Intake and decides whether to proceed with the hunt or cancel it.
    3. Scoping — Select MITRE TTPs, define hunt scenarios, and create hunt tasks for analysts.
    4. Hunt — Analysts record findings; case-task status is tracked here.
    5. Review Outcomes — Review aggregated findings, recommendations, and closure summary.
    6. Post Hunt — Create a Security Incident or a report and complete the playbook.

    How the playbook is initiated

    The playbook is initiated automatically when a Case is created with the following values:

    • Case Type: Threat Hunting
    • Status: Draft

    A system work note on the Case record indicates that the playbook has been initiated. Open the Playbooks tab on the Case record to view execution details.

    Important:
    The Threat Hunting Playbook is shipped in a deactivated state. Before the auto-initiation takes effect, an administrator must activate the playbook. For details, see Activate the Threat Hunting Playbook.

    You can also attach the playbook manually to a Case that does not meet the auto-trigger conditions. For details, see Add the Threat Hunting Playbook to a Case.

    Roles and permissions

    Any user with access to a Case record can read playbook details and contribute information at each stage. The case owner (the user in the Assigned to field) is the decision-maker for approvals and stage transitions.

    Table 1. Stage actions and required role
    Action Who can do it
    Update the hunt hypothesis, scenarios, or findings Any user with access to the Case record.
    Approve or reject the hypothesis (Triage) Case owner only.
    Approve or reject hunt scenarios (Scoping) Case owner only.
    Transition between stages Case owner only.
    Create a Security Incident (Post Hunt) Users with create access on the Security Incident table. If the user does not have this access, the Create Security Incident action is not displayed.

    Playbook card in the context menu

    While you work on other tabs of the Case record, you can monitor playbook status and cancel the playbook from the Playbook card in the right-side context menu.