Playbook Flow Reference

this reference maps ai soc playbooks and flows to triggers, inputs, outputs, and handoffs use it with playbook types and usage docid\ np4vvqlu6pnrwzsbel eo (when to use each playbook) and architecture and data flow docid\ kwciabpwqozqcjd2eztic (conceptual pipeline diagrams) this is a reference page, not a starting point read architecture and data flow docid\ kwciabpwqozqcjd2eztic first for diagrams and the end to end story use this page when you need flow titles, triggers, handoffs, or playbook troubleshooting for analyst procedures, see getting started docid\ p7qjquayekczhpxeppwcp and operations and guidance docid\ dsdgtaqeg95dseaf2iat playbook bundle names, flow titles, and component counts can differ by installed package version treat flow tables marked verify in tenant as outlines—confirm exact flow names and step order in orchestration → playbooks after import choose your path if you need to start here understand what each playbook category does playbook types and usage docid\ np4vvqlu6pnrwzsbel eo see how alert and email traffic converges on case management playbook handoffs at a glance docid → event channels /#event channels inter playbook handoffs configure a new siem or email source ingestion template playbooks /#ingestion template playbooks → configure ingestion playbooks docid\ b1 f6uepz95dfn5nnl0la trace what happens after a case record is created case lifecycle flows /#case lifecycle flows build or debug a routing rule playbook routing rule playbooks /#routing rule playbooks → building routing rule playbooks how to read this reference each playbook section includes column meaning flow flow title inside the playbook bundle (as shown in orchestration ) trigger sensor, schedule, flow event, or record event that starts the flow primary inputs payload, record fields, or event data the flow consumes primary outputs records, flow events, or fields the flow produces hands off to next flow, event channel, application, or background process logical stage rows (for example, deduplicate, enrich observables) describe the ingestion pipeline documented in configuration guides when individual flow titles are not named in customer docs playbook index playbook bundle category analyst action detailed section ai soc – alert ingestion (webhook) – template ingestion template none (configure, then enable) ingestion template playbooks /#ingestion template playbooks ai soc – alert ingestion (cron) – template ingestion template none ingestion template playbooks /#ingestion template playbooks ai soc – phishing ingestion (cron) – template ingestion template none ingestion template playbooks /#ingestion template playbooks ai soc – test email ingestion (webhook) test / lab none ingestion template playbooks /#ingestion template playbooks ai soc – test case generator test / lab none ingestion template playbooks /#ingestion template playbooks ingest webhook alert production alert ingestion none production ingestion playbooks /#production ingestion playbooks ingest bulk alerts production alert ingestion none production ingestion playbooks /#production ingestion playbooks ingest email to sig record production email ingestion none production ingestion playbooks /#production ingestion playbooks ingest alert to case record (event) entry / normalization none entry flows /#entry flows case record creation ingest email to case record (event) entry / normalization none entry flows /#entry flows case record creation soc – enrich observables enrichment none enrichment and knowledge /#enrichment and knowledge playbooks link knowledge base articles enrichment none enrichment and knowledge /#enrichment and knowledge playbooks alert triage playbook template triage / verdict manual or rule driven triage and verdict playbooks /#triage and verdict playbooks correlate sig record correlation manual or scheduled triage and verdict playbooks /#triage and verdict playbooks run rule against pending signals routing manual (support tab) triage and verdict playbooks /#triage and verdict playbooks custom routing rule playbooks routing none (rule driven) routing rule playbooks /#routing rule playbooks pending case resolution (and related) lifecycle none case lifecycle flows /#case lifecycle flows event channels (inter playbook handoffs) ai soc separates alert shaped and email shaped traffic on internal flow event channels before both paths create case management records channel payload shape producers (examples) consumer ingest alert turbine schema alert object ingest webhook alert , ingest bulk alerts , configured cron/webhook templates ingest alert to case record (event) ingest email turbine schema email object ai soc – phishing ingestion (cron) – template , ai soc – test email ingestion (webhook) ingest email to case record (event) rule execute rule uuid + case management tracking id signal routing rules engine compatible routing rule playbooks see architecture and data flow docid\ kwciabpwqozqcjd2eztic for additional conceptual pipeline diagrams ingestion template playbooks duplicate templates before configuration do not edit originals see configure ingestion playbooks docid\ b1 f6uepz95dfn5nnl0la ai soc – alert ingestion (webhook) – template flow trigger primary inputs primary outputs hands off to ingest webhook alert http webhook sensor raw vendor alert payload turbine schema alert on ingest alert ingest alert to case record (event) logical stages in flow — webhook payload extended alert fields, deduplicated observables see pipeline table below documented pipeline (logical order) receive webhook → convert to turbine schema → extend with custom fields → deduplicate → enrich observables → correlate → create or update case management records logical stage key component (configure on duplicate) input output convert to turbine schema placeholder get teds alerts webhook payload turbine schema alert extend fields ai soc extend teds alert turbine schema alert case management field mappings, raw json preserved correlate ai soc correlate alerts alert + observables correlation metadata emit verify in tenant normalized alert ingest alert channel event ai soc – alert ingestion (cron) – template flow trigger primary inputs primary outputs hands off to ingest bulk alerts cron schedule; ingest alert sensor bulk alerts from source api turbine schema alerts on ingest alert ingest alert to case record (event) documented pipeline fetch alerts → convert to turbine schema → extend with custom fields → deduplicate → enrich observables → correlate → create or update records logical stage key component (configure on duplicate) input output fetch and convert placeholder get teds alerts source api response turbine schema alert list extend fields ai soc extend teds alerts (bulk) template turbine schema alerts case management mappings correlate ai soc correlate alerts alerts + observables correlation metadata emit verify in tenant each alert ingest alert channel event ai soc – phishing ingestion (cron) – template flow trigger primary inputs primary outputs hands off to scheduled teds email fetch and emit loop cron schedule unread mailbox items (graph, imap, and so on) email turbine schema objects on ingest email ingest email to case record (event) documented pipeline retrieve emails → convert to email turbine schema → extend with custom fields → deduplicate → enrich observables → correlate → create or update records logical stage key component (configure on duplicate) input output retrieve and convert placeholder get teds emails mailbox search results email turbine schema extend fields ai soc extend teds alerts (bulk) template email object observables (urls, sender, hashes), case management mappings correlate ai soc correlate alerts email + observables correlation metadata emit emit teds email (per architecture and data flow docid\ kwciabpwqozqcjd2eztic ) email object ingest email channel event ai soc – test email ingestion (webhook) flow trigger primary inputs primary outputs hands off to emit test email to email ingestion flow http webhook lab or test email payload email object on ingest email ingest email to case record (event) ai soc – test case generator flow trigger primary inputs primary outputs hands off to ai soc alert case generator verify in tenant synthetic alert data case management test record case lifecycle flows phishing case generator verify in tenant synthetic email data case management test record case lifecycle flows production ingestion playbooks configured copies of templates (or package defaults) names may omit "template" or use soc prefix in older bundles playbook trigger primary inputs primary outputs hands off to ingest webhook alert webhook sensor real time alert payload ingest alert events ingest alert to case record (event) ingest bulk alerts cron schedule scheduled bulk fetch ingest alert events ingest alert to case record (event) ingest email to sig record email sensor phishing report email ingest email events (name may include sig ) ingest email to case record (event) alert schema store (awss) caches example payloads and turbine schema field mappings so repeat vendor formats map consistently on the alert path see architecture and data flow docid\ kwciabpwqozqcjd2eztic entry flows (case record creation) shared downstream playbooks that materialize case management records (prefix case ) ingest alert to case record (event) flow trigger primary inputs primary outputs hands off to ingest alert to case record (event) ingest alert flow event turbine schema alert object new or updated case record, extracted observables enrichment, kb linking, correlation, case evaluation automated logical steps inside the flow (confirm sub playbook names in orchestration ) step purpose primary inputs primary outputs deduplicate skip or update when alert identity already exists alert unique identifier (for example alert uid) stop, or continue for new alert normalize observables map vendor fields to turbine schema raw alert payload turbine schema alert object enrich observables ti lookup on extracted observables observables threat intelligence reference , risk scores find matching kb articles link guidance for plan generation matching value , observables kb article references on record create or update record materialize work in case management normalized alert + enrichment results case record ( processing ) ingest email to case record (event) flow trigger primary inputs primary outputs hands off to ingest email to case record (event) ingest email flow event turbine schema email object new or updated phishing case record same logical steps as alert path email payloads preserve email specific fields (for example subject, sender, recipient) on the case management record alongside standard observables evaluation gates automated evaluation on a case record typically waits until enrichment and correlation complete confirm field names on your case management application layout gate field (typical) set by required before threat intelligence complete threat intelligence status enrich observables (or check ti button) case evaluation automated correlation complete correlation status correlate case records (schedule or manual) case evaluation automated when both gates are complete , case evaluation automated can run the rules engine and, if no rule matches, invoke hero ai for an initial ai verdict and confidence score while status is processing , enrichment, correlation, kb linking, and automated evaluation may still be running wait until the record leaves processing before generate plan or expecting a stable ai verdict see case management (case) docid\ sdpesft6lsyz0zfrn hok enrichment and knowledge playbooks playbook / component trigger primary inputs primary outputs hands off to soc – enrich observables / ai soc enrich observables signal or record creation; observable extraction observables (ip, domain, url, hash) ti provider results, aggregated verdict, threat intelligence reference case management evidence panels; case evaluation automated link knowledge base articles signal creation or correlation matching value , observables, signal metadata linked kb article records on case hero ai generate plan context ti provider components (inside enrichment) component input output enrich virustotal enrich observable (vic) observable provider specific enrichment enrich recorded future enrich observable (vic) observable provider specific enrichment enrich abuseipdb enrich observable (vic) observable provider specific enrichment enrich urlhaus enrich observables (vic) observable provider specific enrichment enrich ipqualityscore enrich observable (vic) observable provider specific enrichment configuration configure threat intelligence enrichment docid wafaim1sg 7z1uzmvr p triage and verdict playbooks playbook trigger primary inputs primary outputs hands off to alert triage playbook template manual run or rule execute case record context refreshed hero ai verdict and ti analysis case management ai alert analysis panel correlate sig record manual ( support tab) or schedule (default 10 min) case record correlation evidence case management correlation panel run rule against pending signals manual ( support tab or scheduled task) unprocessed case records rule evaluation results rule execute → routing playbooks routing rule playbooks custom or duplicated playbooks associated on signal routing rules records required pattern step order action primary inputs primary outputs 1 flow event trigger ( rule execute ) rule uuid, tracking id flow context 2 search records event tracking id case management record in flow 3 optional investigation steps record + connector actions step outputs in $actions 4 verdict component (for example ai soc case hero ai analysis ) record + $actions ai verdict, updated case fields constraint requirement flow count single flow per routing playbook verdict evidence expression $actions rule binding rule uuid condition added when you apply rule to playbook see building routing rule playbooks and signal routing rules (rule) docid\ bijf7m9etympud9 aozbl case lifecycle flows background automation after case records are created flow titles vary by package; confirm in orchestration → playbooks enrichment and correlation flow / component trigger primary inputs primary outputs hands off to check ti / enrich observables record create or manual button observables on case record threat intelligence reference , intelligence verdict , threat intelligence status = complete case evaluation automated (gate) correlate case records cron schedule (tenant configured; default about every 10 minutes) or manual correlate case record + recent record pool correlation status = complete, correlation evidence case evaluation automated (gate) correlation uses the ai soc correlation configuration asset for delay windows and match thresholds records are typically eligible after a short delay so ingestion and enrichment can finish first evaluation and resolution flow / component trigger primary inputs primary outputs hands off to case evaluation automated record update when both ti and correlation gates are complete case fields, ti results, correlation rule match results; or ai verdict + confidence if no rule matches pending case resolution pending case resolution ai verdict or confidence change (conditions vary by package) ai verdict , confidence score , tenant thresholds status , classification , escalated (when configured) analyst queue or closure pending case resolution outcomes (thresholds are tenant configured in the pending case resolution flow — not fixed defaults) condition (typical) outcome on case management record high confidence + malicious or suspicious escalated or sustained investigation path per your tenant rules high confidence + benign closed with false positive classification where configured verdict present but confidence below tenant threshold new — analyst review required analyst override manual manual verdict , status , or claim some packages link a separate investigative record through a case tracking reference field current ai soc guidance centers triage and investigation on the same case management ( case ) record unless your organization configured a linked record pattern see case management (case) docid\ sdpesft6lsyz0zfrn hok metrics and sync flow / component trigger primary inputs primary outputs update case metrics status , owner, or mitigation field changes case lifecycle fields sla timestamps (for example time assigned, time closed) sync case to linked records record field change or manual button case record patched linked records and timeline entries (when linked pattern is used) routing and rules engine flow / control trigger primary inputs primary outputs hands off to signal routing rules (engine) evaluation or schedule case fields vs rule conditions rule execute events routing rule playbooks run rules engine against current case manual button ( support tab) current case record rule match results routing rule playbooks run rule against pending cases manual button or scheduled task pending case queue rule match results routing rule playbooks support tab button runbooks analyst initiated actions on case management records available buttons depend on layout and rbac button (typical label) purpose when to use claim case / claim signal assign current owner to the logged in analyst starting investigation; prevents duplicate work check threat intelligence results / check ti for case force ti enrichment on the current record ti status stuck or observables changed enrich ti record alternate entry point to ti enrichment same as check ti from a different ui context correlate run correlation immediately for this record correlation evidence missing or stale run rules engine evaluate routing rules on the current record test or refresh rule matches run rule against pending signals batch evaluate pending records catch up after rule changes run ai investigation / ai case analysis force hero ai verdict and confidence evaluation skipped a rule match, or after new evidence sync case to linked records push case fields to linked records after manual linking or when auto sync has not run generate after actions report merge kb, ti, and connector outputs into a report post incident documentation (connectors vary by tenant) see case management (case) docid\ sdpesft6lsyz0zfrn hok and troubleshooting docid\ cknuxqv85k9lu0ocqv218 for button visibility and rbac issues troubleshooting by flow symptom check first quick fix no case record after ingest ingest alert / ingest email sensor enabled; alert uid present verify webhook or cron template; confirm deduplication did not stop on duplicate record stuck in processing threat intelligence status and correlation status run check ti and correlate from support ; verify ti connectors case evaluation never runs both gates complete on same record complete missing enrichment or correlation; check correlation asset and schedule no ai verdict rules engine matched (ai branch skipped) run ai investigation ; verify hero ai enabled no auto escalated / closed tenant thresholds in pending case resolution review administrator playbook config; set manual verdict if needed routing rule never fires rule enabled ; playbook uses rule execute run rules engine ; see building routing rule playbooks generate plan missing record still processing ; rbac / widget config wait for gates; see getting started docid\ p7qjquayekczhpxeppwcp and rbac considerations for ai soc docid\ jl6dsw0qjbkpq iojdglp key shared components components referenced across multiple playbooks connector embedded business logic actions should be documented with plain language descriptions when added or renamed component used in purpose placeholder get teds alerts alert ingestion templates fetch or map source alerts to turbine schema placeholder get teds emails phishing ingestion template fetch or map emails to email turbine schema ai soc extend teds alert webhook alert template map turbine schema to case management (single) ai soc extend teds alerts (bulk) template cron alert and phishing templates map turbine schema to case management (bulk) ai soc correlate alerts all ingestion templates correlation windows and rules ai soc enrich observables ingestion and enrichment playbooks multi provider ti enrichment ai soc signal hero ai analysis triage templates, plans hero ai verdict on signal/case ai soc case hero ai analysis routing rule playbooks hero ai verdict with $actions evidence ai soc alerts to turbine schema ai ingestion widget output normalize vendor alerts to turbine schema create teds alert custom ingestion / integration examples map vendor fields to turbine schema end to end flow summary stage representative playbooks / flows case management impact 1 source ingest ingest templates → ingest alert / ingest email none yet 2 normalize ingest alert/email to case record (event) case record created ( processing ) 3 enrich and link enrich observables , link knowledge base articles evidence panels populated 4 evaluate case evaluation automated , correlation schedule correlation, kb, ti complete 5 route signal routing rules → rule execute playbooks automated investigation steps 6 resolve pending case resolution , prioritization status , priority , escalated 7 investigate analyst generate plan , manual verdict manual verdict , classification , closure key record fields (reference) typical case management fields referenced across flows labels on your layout may differ slightly field area examples used by identity tracking id, alert uid, signal source , signal type ingestion, deduplication, routing rules observables ips, domains, urls, hashes ti enrichment, correlation, hero ai enrichment gates threat intelligence status , correlation status case evaluation automated ai triage ai verdict , confidence score , intelligence verdict pending case resolution , analyst ui workflow status , priority , classification , manual verdict analyst actions, dashboards, roi linking (optional) case tracking reference on linked layouts sync and after actions reporting maintaining this reference step action owner 1 export playbook yaml after package upgrades engineering / ps 2 reconcile flow names and sub playbook steps with this page docs + ps 3 align connector embedded action names with connector naming standard connector team + docs 4 update archbee after tenant verified changes docs internal interactive flow maps (for example ps html diagrams) can supplement this page but should use customer terminology ( turbine schema , case management , case ) when content is promoted here next steps topic guide playbook categories and when to use them playbook types and usage docid\ np4vvqlu6pnrwzsbel eo conceptual architecture diagrams architecture and data flow docid\ kwciabpwqozqcjd2eztic configure ingestion templates configure ingestion playbooks docid\ b1 f6uepz95dfn5nnl0la build routing rule playbooks building routing rule playbooks analyst first investigation getting started docid\ p7qjquayekczhpxeppwcp case record layout and support actions case management (case) docid\ sdpesft6lsyz0zfrn hok