Alert Playbooks tab

The Playbooks tab displays in the Cases page when there is a playbook attached to an alert. When clicking on a playbook in this tab, the playbook summary appears in a side drawer.

This shows the following information:

  • Playbook Name and Status
  • Pending Actions: waiting for user input: if the playbook is waiting for the security engineer to do something, it is displayed prominently at the top of the playbook summary. In addition, a push notification is sent to the relevant user letting them know that the playbook is waiting for them.
  • Time and Length of Playbook Run
  • Integrations: list of integrations being used by this playbook. When clicking on an integration, the specific step is marked in the playbook viewer so that the analyst can find the step that they want to focus on.
  • Playbook Flow: each step that was run with its status and step result.
  • Errors: any errors are listed here. If an error caused the playbook to stop, it is highlighted at the top of the summary, but if it was skipped, it is at the bottom. You can also choose to rerun the action or playbook from here.

You can also click any of the playbook steps to see information relating to that step only in the side drawer.


The following actions are available at the top of the Playbooks tab:

  • Refresh
  • Jump to case wall jumptocasewallicon takes you to the case wall directly from the Playbooks tab.
  • Add: add a new playbook. Here you can choose which playbook to add to the case.

Playbooks that are attached to alerts in a case can be rerun by clicking replay Rerun Playbook. For more information, see Rerun playbooks.