Playbooks are a series of tasks that run in a predefined flow to save time and improve the efficiency and results of the investigation and response process. They enable you to automate many security processes, including handling investigations and managing tickets. For example, a playbook task can parse the information in an issue, whether it is an email or a PDF attachment. Playbooks also standardize workflows, ensuring consistent and efficient incident response and management.
Prerequisite
To work with playbooks, an administrator must configure your user role with specific RBAC permissions. Permissions must be enabled in the following order:
Scripts: This component (under → ) must be set to Enabled first. It is the foundational permission for all automation; if Scripts are not enabled, you cannot configure Playbooks or Cases and Issues. Role-level permissions determine your ability to create new scripts or edit those marked as Public.
Playbooks: This component (under → ) must be set to Enabled. Role-level permissions determine your ability to create new playbooks or edit those marked as Public. Specific access to individual custom playbooks and scripts is managed at the object level. For detailed information on the access model, see Access to playbooks.
Cases and Issues: Once Scripts and Playbooks are enabled, you can set Cases and Issues (under Cases & Issues) to View or View/Edit. This is required to view the results of playbooks executed within a case.
For more information on setting RBAC permissions, see Role permissions by component.