Building Routing Rule Playbooks

use this guide to create an alert triage playbook manually, without the usage of ai soc automation available in case management record — for example, to prepare automation before alerts arrive, or to build a playbook in orchestration and link it on a signal routing rules record directly for the plan driven path ( generate plan → create a playbook on a case, with the routing rule linked automatically), see creating automation for rule conditions, order, and testing, see signal routing rules (rule) plan driven vs manual playbook creation approach when to use how the routing rule is linked plan driven (ai soc on a case) you have a case management record and an investigation plan create a playbook from the automation section; the solution creates or updates the routing rule and associates the playbook manual (orchestration) no case yet, or you want full control in the playbook builder create the playbook under orchestration → playbooks , then open a signal routing rules record and associate it both approaches produce playbooks that run when a matching rule fires manual creation uses the same rule execute flow event and verdict pattern the package expects how routing invokes a playbook when an enabled routing rule matches a case management record, the rules engine emits a rule execute flow event that includes the rule’s rule uuid and a tracking id for the matched record a compatible playbook listens for that event, loads the record, runs your investigation steps, and finishes with a verdict so the case is updated a single routing rule runs one playbook use separate rules and playbooks for different patterns prerequisites for a routing playbook before you associate a playbook on a routing rule, configure the playbook as follows prerequisite what to configure rule execute flow event trigger add a flow event trigger choose existing flow event (not create new) and select rule execute ( rule execute ) this sensor ships with the ai soc bundle after you select it, event data should expose rule uuid and tracking id if fields do not appear, save the playbook and reload the builder search records for the case add a search records (or equivalent) action that loads the case management record using the flow event tracking id (for example, tracking id equals the event’s tracking id) you need the record in the flow before later steps run verdict component at the end add the ai soc verdict step (for example, ai soc case hero ai analysis or the verdict component from your package) as the last step so the alert receives an ai verdict and the case updates steps between search records and the verdict are optional $actions on the verdict in the verdict component evidence (or equivalent) section, set the expression to $actions so verdict generation uses outputs from earlier actions in the flow single flow keep all steps in one flow rule uuid on the trigger you do not add the rule uuid condition yourself when you first build the playbook after you associate the playbook on a routing rule and choose apply rule to playbook , the platform adds a trigger condition so rule uuid matches that rule open the playbook in orchestration , refresh, and confirm the condition appears (for example, rule uuid matches the rule’s identifier) $actions in the ui the evidence field may look empty if you leave the verdict step and return later, even though $actions is saved check the playbook yaml if you need to confirm the value is present create a playbook manually in orchestration go to orchestration → playbooks and create a new playbook add a flow event trigger in the trigger configuration, select existing flow event and choose rule execute ( rule execute ) confirm event data includes rule uuid and tracking id save and reload the playbook if the fields are missing add search records (or your package’s record lookup action) map tracking id from the flow event so the flow loads the matched case management record add any investigation or response components you need between lookup and verdict add the ai soc verdict component as the final step in the verdict step, open evidence (or the field your package uses for prior action output) and set the expression to $actions save and enable the playbook you can add hero ai or other builder assistance on the playbook page; the prerequisites above still apply associate the playbook with a routing rule you can create or edit a signal routing rules record without an open case open application records → signal routing rules , or use routing rule management → add new rule on the rule tab, set if conditions (for example, signal source , alert name , severity) set rule application to case management (or as required) configure rule order and enabled when ready wait for the page to finish loading the associated playbook (or selected playbook ) list is populated after load select your playbook only playbooks that use the rule execute flow event trigger appear a playbook without that trigger (for example, a blank test playbook) does not show in the list apply the rule to the playbook (for example, apply rule to playbook ) confirm the success message open the playbook in orchestration and refresh verify a rule uuid condition on the rule execute trigger matches this routing rule on the rule support tab, use run rule against pending signals to test review records matched when the rule matches a record, the engine emits rule execute with that rule’s uuid; the playbook with the matching rule uuid trigger condition will be executed for the case other ways to get a compatible playbook duplicate an existing routing playbook in orchestration → playbooks , duplicate a playbook already tied to a working rule or an package triage template edit investigation steps only; keep rule execute , search records , verdict, and $actions generate playbook, then cancel from the playbook builder (including after create a playbook on a case), start generate playbook and cancel when the template appears the draft includes sample timeline, verdict, and rule execute wiring edit, save, then associate on the routing rule if you did not use the case automation flow