Using playbooks

  • Release version: Yokohama
  • Updated June 5, 2026
  • 2 minutes to read
    • Summarize
    Summarized using AI
    This content was generated using new OpenAI-powered functionality. Results are provided on an as is basis and are not guaranteed to be accurate or complete.

    Summary of Using playbooks

    Playbooks in Threat Intelligence Security Center (TISC) guide analysts through structured stages of threat investigation, ensuring a consistent and thorough response process. Each Case record with the appropriate type and status automatically starts a playbook, which appears under the Playbooks tab. The playbook tracks the current stage, pending activities, and overall progress.

    Show full answer Show less

    How playbooks operate

    A playbook progresses through a fixed sequence of stages. Each stage contains required activities such as data entry, task completion, or approvals that must be finished before advancing. The Playbooks tab clearly shows the active stage, remaining activities, and marks completed stages for easy progress tracking.

    Analyst collaboration

    Any analyst with Case access can view playbook details and contribute by recording findings, linking entities, selecting MITRE ATT&CK techniques, and completing assigned tasks. However, only the case owner (assigned user) can make decisions to advance stages or approve transitions. Non-owners should complete their tasks and notify the case owner when ready to proceed.

    Monitoring and managing playbooks

    The Playbook card in the right-side context menu allows analysts to monitor the current stage and cancel the playbook if necessary. The system logs key events such as playbook start, stage transitions, and completion as work notes on the Case record for audit and review.

    Playbook completion and reuse

    Each playbook runs once per Case and cannot be rerun after completion. If a playbook execution is cancelled, the case owner or administrator can manually add the playbook again. At the final stage, analysts typically create a security incident or report documenting the outcome, which requires create access to the Security Incident table. Without this access, the option will not be available.

    Threat Hunting Playbook

    The Threat Hunting playbook is a specific guided workflow that helps analysts progress a threat hunt from initial hypothesis to final outcome within a TISC Case. It supports structured investigation and decision-making.

    Practical application for ServiceNow customers

    • Automatically guide analysts through threat investigations with clear stages and required activities.
    • Enable collaboration among analysts while maintaining control of stage transitions by the case owner.
    • Monitor playbook progress in real time and maintain an audit trail via work notes.
    • Ensure consistent outcomes by enforcing playbook completion rules and enabling creation of security incidents when appropriate.
    • Leverage the Threat Hunting playbook to efficiently move from hypothesis to resolution in threat hunting cases.

    Playbooks in Threat Intelligence Security Center guide analysts through structured threat investigation stages. Each stage defines the actions to complete before the case advances to the next phase of the response process.

    When a Case record is created in Threat Intelligence Security Center with the appropriate Case type and status, a playbook starts automatically. The playbook appears in the Playbooks tab of the Case record and shows the current stage, pending activities, and overall progress. The Threat Hunting playbook runs once per Case. After the playbook reaches completion, you can't run it on the same Case. You can add the playbook again for cancelled executions.

    How stages work

    A playbook moves through a fixed sequence of stages. Each stage contains activities — such as entering data, completing tasks, or waiting for an approval. You must complete all required activities in a stage before the case owner can advance the playbook to the next stage.

    The Playbooks tab shows which stage is active and what activities remain. The playbook marks completed stages so you can track progress at a glance.

    Analyst contributions

    Any analyst with access to a Case record can read playbook details and contribute information at each stage. Typical analyst activities include recording findings, linking related entities, selecting MITRE ATT&CK techniques, and completing case tasks.

    Stage transitions and approval decisions are made by the case owner — the user in the Assigned to field. If you aren't the case owner, complete your assigned activities and notify the case owner when the stage is ready to advance.

    Monitoring playbook status

    While you work on other tabs of the Case record, you can monitor playbook status from the Playbook card in the right-side context menu. The card shows the current stage and lets you cancel the playbook if needed.

    The system adds a work note to the Case record when the playbook starts. Check the work notes for a record of key playbook events, including stage transitions and completion.

    Playbook completion

    A playbook runs once per Case. After it reaches completion, it can't run again on the same Case. If a playbook execution is cancelled, the case owner or an administrator can attach the playbook again manually.

    At the final stage, analysts typically create a security incident or a report to document the outcome. This action requires create access on the Security Incident table. If you don't have this access, the playbook does not display the option.