Threat Hunting Playbook

  • Release version: Australia
  • Updated May 20, 2026
  • 2 minutes to read
    • Summarize
    Summarized using AI
    This content was generated using new OpenAI-powered functionality. Results are provided on an as is basis and are not guaranteed to be accurate or complete.

    Summary of Threat Hunting Playbook

    The Threat Hunting Playbook is a guided workflow integrated with the Threat Intelligence Security Case (TISC) records in ServiceNow. It supports security analysts by structuring the threat hunting process from initial hypothesis through to final outcomes such as incident creation or reporting. The playbook runs once per Case and is managed through the Playbooks tab on the Case record.

    Show full answer Show less

    This playbook is initially shipped in a deactivated state and requires an administrator to activate it before it auto-initiates on qualifying Cases. It can also be manually attached to Cases that do not meet auto-trigger criteria.

    Workflow Stages

    • Intake: Capture the hunt hypothesis and link related entities.
    • Triage: Case owner reviews and decides whether to proceed or cancel the hunt.
    • Scoping: Select MITRE TTPs, define hunt scenarios, and create analyst tasks.
    • Hunt: Analysts document findings and track task status.
    • Review Outcomes: Aggregate findings, recommendations, and closure summary.
    • Post Hunt: Create a Security Incident or report and complete the playbook.

    Initiation and Management

    The playbook automatically starts when a Case is created with Case Type: Threat Hunting and Status: Draft. A system work note confirms initiation, and progress can be monitored in the Playbooks tab. The playbook can also be manually added to any Case.

    Throughout the lifecycle, users with Case access can update information, but the Case owner controls critical approvals and stage transitions.

    Roles and Permissions

    • Any user with Case access: Can update hypotheses, scenarios, and findings.
    • Case owner: Responsible for approving or rejecting hypotheses and scenarios, and for managing stage transitions.
    • Users with Security Incident create rights: Can generate Security Incidents during the Post Hunt stage.

    Additional Features

    The playbook status and controls are accessible via a Playbook card in the Case record’s right-side context menu, allowing easy monitoring and cancellation if needed.

    Practical Benefits for ServiceNow Customers

    By using the Threat Hunting Playbook, organizations can standardize and streamline threat hunts, ensuring consistent documentation, decision-making, and collaboration. It integrates hunt activities directly into Case management, providing visibility and governance across the hunting lifecycle. Activating and properly assigning roles ensures efficient use and control over threat hunting efforts, culminating in actionable outcomes like Security Incidents or reports.

    The Threat Hunting playbook is a guided workflow for a TISC Case record that helps analysts move a threat hunt from an initial hypothesis to a final outcome.

    You can view and manage the playbook executions in the Playbooks tab of the Case record. The Threat Hunting playbook runs once per Case. After the playbook reaches completion, you can't run it on the same Case. You can add the playbook again for cancelled executions.

    Workflow stages

    1. Intake — Capture the hunt hypothesis and link related entities.
    2. Triage — The case owner reviews the hunt hypothesis from Intake and decides whether to proceed with the hunt or cancel it.
    3. Scoping — Select MITRE TTPs, define hunt scenarios, and create hunt tasks for analysts.
    4. Hunt — Analysts record findings; case-task status is tracked here.
    5. Review Outcomes — Review aggregated findings, recommendations, and closure summary.
    6. Post Hunt — Create a Security Incident or a report and complete the playbook.

    How the playbook is initiated

    The playbook is initiated automatically when a Case is created with the following values:

    • Case Type: Threat Hunting
    • Status: Draft

    A system work note on the Case record indicates that the playbook has been initiated. Open the Playbooks tab on the Case record to view execution details.

    Important:
    The Threat Hunting Playbook is shipped in a deactivated state. Before the auto-initiation takes effect, an administrator must activate the playbook. For details, see Activate the Threat Hunting Playbook.

    You can also attach the playbook manually to a Case that does not meet the auto-trigger conditions. For details, see Add the Threat Hunting Playbook to a Case.

    Roles and permissions

    Any user with access to a Case record can read playbook details and contribute information at each stage. The case owner (the user in the Assigned to field) is the decision-maker for approvals and stage transitions.

    Table 1. Stage actions and required role
    Action Who can do it
    Update the hunt hypothesis, scenarios, or findings Any user with access to the Case record.
    Approve or reject the hypothesis (Triage) Case owner only.
    Approve or reject hunt scenarios (Scoping) Case owner only.
    Transition between stages Case owner only.
    Create a Security Incident (Post Hunt) Users with create access on the Security Incident table. If the user does not have this access, the Create Security Incident action is not displayed.

    Playbook card in the context menu

    While you work on other tabs of the Case record, you can monitor playbook status and cancel the playbook from the Playbook card in the right-side context menu.