Add or configure a playbook to run timers.
Within a playbook, a timer can be set to start, pause, or stop at a specific section header or task. For example, you can create a timer called Pending user response and have it start in a playbook when an email is sent to a user. If the user does not respond within the target timeframe, then you can automatically send an additional reminder to the user or run a different task.
When selecting a timer in a task or section header, in the Timers tab, select the action that you want the timer to perform for the task. You can add multiple timers to a task or section header, so in the same task you can stop one timer and start another.
Note
When a task or section has a timer configured, it displays the hourglass icon.
Option | Description |
|---|---|
| Starts the timer. NoteTimers are not started automatically when an incident is created. |
| Pauses the timer. A paused timer can be started again without being reset. |
| Stops the timer. Information about the timer is still displayed in the alert layout and/or alerts table, but the status displays as Ended. NoteIf you stop a timer before the alert is closed, you must reset the timer using the |
Some playbooks, such as Phishing - Generic v3, come out-of-the-box with timer tasks included. If you need the same timers across use cases, create a sub-playbook based on your use case or conditions such as alert severity.
If you want to stop or pause a timer in a playbook, you can use an existing task or create a new section header/task. When you select Timer.stop, the run is considered finished and cannot be restarted without setting it to zero. If you plan to restart the timer, select Timer.pause so you do not lose the accumulated time. By default, all timers stop when the incident closes.