Threat Hunting Playbook

  • Release version: Yokohama
  • Updated May 20, 2026
  • 2 minutes to read
    • Summarize
    Summarized using AI
    This content was generated using new OpenAI-powered functionality. Results are provided on an as is basis and are not guaranteed to be accurate or complete.

    Summary of Threat Hunting Playbook

    The Threat Hunting Playbook is a structured, guided workflow designed to help analysts systematically conduct threat hunting within a TISC Case record. It assists in progressing from an initial hypothesis through defined stages to a final outcome such as creating a Security Incident or generating a report. The playbook runs once per Case and is managed via the Playbooks tab on the Case record. It must be activated by an administrator before automatic initiation.

    Show full answer Show less

    Workflow Stages

    • Intake: Capture the hunt hypothesis and link relevant entities.
    • Triage: Case owner reviews the hypothesis and decides to proceed or cancel.
    • Scoping: Select MITRE TTPs, define hunt scenarios, and create analyst tasks.
    • Hunt: Analysts document findings and track task status.
    • Review Outcomes: Consolidate findings, recommendations, and closure summary.
    • Post Hunt: Create Security Incident or report, and complete the playbook.

    Initiation and Activation

    The playbook is automatically initiated when a Case is created with the type set to Threat Hunting and status set to Draft. A system work note confirms initiation, and execution details can be viewed in the Playbooks tab. The playbook is initially deactivated and requires administrator activation to enable auto-initiation. It can also be manually added to Cases that do not meet auto-trigger conditions.

    Roles and Permissions

    • Any user with access to the Case: Can read playbook details and update hypotheses, scenarios, or findings.
    • Case owner (Assigned to field): Responsible for approving or rejecting hypotheses and hunt scenarios, as well as managing stage transitions.
    • Users with create access on Security Incident table: Can create Security Incidents during the Post Hunt stage.

    Practical Usage

    • Monitor and control the playbook status via the Playbook card in the right-side context menu while working on the Case.
    • Use the playbook to ensure a consistent, repeatable threat hunting process that supports decision-making and final incident creation or reporting.
    • Manually attach the playbook to any Case as needed to apply the guided workflow.

    The Threat Hunting playbook is a guided workflow for a TISC Case record that helps analysts move a threat hunt from an initial hypothesis to a final outcome.

    You can view and manage the playbook executions in the Playbooks tab of the Case record. The Threat Hunting playbook runs once per Case. After the playbook reaches completion, you can't run it on the same Case. You can add the playbook again for cancelled executions.

    Workflow stages

    1. Intake — Capture the hunt hypothesis and link related entities.
    2. Triage — The case owner reviews the hunt hypothesis from Intake and decides whether to proceed with the hunt or cancel it.
    3. Scoping — Select MITRE TTPs, define hunt scenarios, and create hunt tasks for analysts.
    4. Hunt — Analysts record findings; case-task status is tracked here.
    5. Review Outcomes — Review aggregated findings, recommendations, and closure summary.
    6. Post Hunt — Create a Security Incident or a report and complete the playbook.

    How the playbook is initiated

    The playbook is initiated automatically when a Case is created with the following values:

    • Case Type: Threat Hunting
    • Status: Draft

    A system work note on the Case record indicates that the playbook has been initiated. Open the Playbooks tab on the Case record to view execution details.

    Important:
    The Threat Hunting Playbook is shipped in a deactivated state. Before the auto-initiation takes effect, an administrator must activate the playbook. For details, see Activate the Threat Hunting Playbook.

    You can also attach the playbook manually to a Case that does not meet the auto-trigger conditions. For details, see Add the Threat Hunting Playbook to a Case.

    Roles and permissions

    Any user with access to a Case record can read playbook details and contribute information at each stage. The case owner (the user in the Assigned to field) is the decision-maker for approvals and stage transitions.

    Table 1. Stage actions and required role
    Action Who can do it
    Update the hunt hypothesis, scenarios, or findings Any user with access to the Case record.
    Approve or reject the hypothesis (Triage) Case owner only.
    Approve or reject hunt scenarios (Scoping) Case owner only.
    Transition between stages Case owner only.
    Create a Security Incident (Post Hunt) Users with create access on the Security Incident table. If the user does not have this access, the Create Security Incident action is not displayed.

    Playbook card in the context menu

    While you work on other tabs of the Case record, you can monitor playbook status and cancel the playbook from the Playbook card in the right-side context menu.