Playbook Types and Usage

ai soc includes different types of playbooks that serve specific purposes in the investigation workflow ingestion playbooks (system driven) these playbooks run automatically to ingest alerts and create signals ingest webhook alert trigger webhook sensor receives alert purpose receives alerts from webhook sources and creates signal records when it runs automatically when alerts are sent to the webhook endpoint analyst action none required runs automatically ingest bulk alerts trigger cron schedule purpose pulls alerts in bulk from source systems and creates signal records when it runs on a scheduled interval (configured in playbook) analyst action none required runs automatically ingest email to sig record trigger email sensor receives phishing report purpose processes phishing emails and creates signal records when it runs automatically when emails are received analyst action none required runs automatically configuration these playbooks are configured during setup and typically do not require analyst interaction triage and verdict playbooks (analyst triggered or rule driven) these playbooks support investigation and analysis workflows alert triage playbook template trigger manual execution or routing rule purpose runs hero ai verdict and threat intelligence analysis on a signal when to use when you need refreshed ai analysis or verdict generation how to use trigger manually from the signal record or configure routing rules to trigger automatically correlate sig record trigger manual execution or scheduled run purpose correlates the signal with existing records and context when to use manually when you want immediate correlation automatically on a schedule (default every 10 minutes) how to use run from the support tab on a signal record run rule against pending signals trigger manual execution purpose evaluates routing rules against unprocessed signals when to use when you need to apply routing rules to signals that haven't been processed how to use run from the support tab or create a scheduled task enrichment and knowledge playbooks (system driven) these playbooks automatically enrich signals with threat intelligence and knowledge base context enrich observables trigger signal creation or observable extraction purpose enriches observables with ti providers and attaches evidence to the signal when it runs automatically when observables are extracted analyst action none required runs automatically configuration configure which ti providers to use in the playbook link knowledge base articles trigger signal creation or correlation purpose links relevant kb articles to signals to provide immediate analyst context when it runs automatically as part of ingestion and correlation analyst action none required runs automatically configuration kb articles are linked based on matching values and correlation logic escalation playbooks (analyst triggered) these playbooks handle escalation workflows escalate signal to case trigger manual execution (via escalate to case button) purpose creates a case from a signal and links them together when to use when a signal requires sustained investigation or case management how to use click escalate to case in the controls panel on a signal record