The following places in the Google Security Operations platform can provide you with
greater visibility into the playbooks execution:
Playbook monitoring on the Playbooks page: The monitoring feature
lets customers use automation to its full capacity. This interface is
displayed for each individual playbook.
Playbook side drawer on the Cases page: The summary feature
minimizes the time that an analyst needs to get decisions when handling a
case. This interface is displayed as a side drawer for each running playbook
on the Cases page.
Playbook monitoring
The Playbook monitoring side drawer is available for each playbook on
the Playbooks page.
You can see the side drawer by clicking on the Playbook monitoring icon
at the top right of the Playbooks page.
The Playbook monitoring side drawer contains the following information:
Runs: How many times the playbook or playbook block ran
during the defined time period. Thousands will be represented by a K.
Millions will be represented by an M. If a playbook block is added
as part of a playbook to an existing alert, the block won't be counted here.
Redundant: Number of times the playbook or playbook block
didn't run in the predefined time period (because it exceeded the maximum
number of playbooks (1) that can be automatically added to an alert). If the
number is larger than 1 – this could be a good indication to tweak the
playbook – maybe by using blocks or other logical steps.
Closed alerts: Percentage of alerts that were closed by
this playbook.
Average run time: Average amount of time that this playbook
took to run. This statistic can prove useful in identifying weak points in
playbooks, such as manual actions and frequently-errored steps.
Playbook runs status pie chart:
Shows four options. Options are Finished Successfully, Failed,
Waiting for User Action, or Terminated. This chart shows you
playbook statuses according to the defined time period and is cumulative.
Each option is clickable and will take you to a search results page
displaying the cases that this playbook with the specific status was
attached to.
Playbook trends line chart:
Shows completed runs, failed runs, terminated runs and a total of runs (both
failed and successful). Hold the pointer over your mouse over each dot on
the line to see a dialog showing more information. This chart can useful if
a new playbook that you recently created is running as you've expected, or
if an existing playbook that you recently improved was actually improved as
you've expected or if more enhancements are needed in order to meet
your expectations. For example, if you see that the playbook didn't run
twenty times over the last month, you might then tweak the trigger logic to
make the playbook more selective. You could then look at the
Playbook trends line chart to check that the playbook ran
successfully from that time onwards.
Environments bar chart: Displays all the environments that
this playbook ran in. Each section is clickable and will take you to a
search results page.
Playbook summary
Go to the Cases page. Select a case, click an alert, then click
the Playbooks tab. Click the hyperlinked playbook name on the left.
The playbook summary side drawer opens. This shows the following information:
Playbook name and status
Time and length of playbook run
Pending actions: If the playbook is waiting for the
security engineer to do something, this will be displayed prominently at the
top of the playbook summary. In addition, a push notification will be sent
to the relevant user letting them know that the playbook is waiting for
them.
Integrations: list of integrations being used by this
playbook. When clicking on an integration, the specific step will be marked
in the playbook viewer so that the analyst can find the step that
they wants to focus on.
Playbook flow: each step that was run with its status and
step result.
Errors: any errors will be listed here. If an error caused
the playbook to stop it will be highlighted at the top of the summary, but
if it was skipped, it will be at the bottom. Each error is clickable and
will direct you to the logs page. You can also choose to rerun the action or
playbook from here.
[[["Easy to understand","easyToUnderstand","thumb-up"],["Solved my problem","solvedMyProblem","thumb-up"],["Other","otherUp","thumb-up"]],[["Hard to understand","hardToUnderstand","thumb-down"],["Incorrect information or sample code","incorrectInformationOrSampleCode","thumb-down"],["Missing the information/samples I need","missingTheInformationSamplesINeed","thumb-down"],["Other","otherDown","thumb-down"]],["Last updated 2025-08-29 UTC."],[[["\u003cp\u003ePlaybook monitoring provides insights into playbook execution through the \u003cstrong\u003ePlaybooks\u003c/strong\u003e page and a side drawer on the \u003cstrong\u003eCases\u003c/strong\u003e page, enhancing the use of automation.\u003c/p\u003e\n"],["\u003cp\u003eThe \u003cstrong\u003ePlaybook Monitoring\u003c/strong\u003e side drawer displays information such as the number of runs, redundant runs, closed alerts percentage, average run time, and playbook status trends, allowing for performance assessment and optimization.\u003c/p\u003e\n"],["\u003cp\u003eThe \u003cstrong\u003ePlaybook Monitoring\u003c/strong\u003e side drawer shows various charts including a pie chart displaying status of the playbook runs and a line chart displaying playbook trends over time.\u003c/p\u003e\n"],["\u003cp\u003eThe playbook summary, accessible from the \u003cstrong\u003eCases\u003c/strong\u003e page, provides details on a playbook's name, status, run time, pending actions, integrations used, playbook flow, and errors.\u003c/p\u003e\n"],["\u003cp\u003eThe playbook summary view also provides useful insight on the playbook errors, allowing you to choose to rerun the action or playbook.\u003c/p\u003e\n"]]],[],null,["# Understand playbook monitoring\n==============================\n\nSupported in: \nGoogle secops [SOAR](/chronicle/docs/secops/google-secops-soar-toc) \n\nThe following places in the Google Security Operations platform can provide you with\ngreater visibility into the playbooks execution:\n\n- Playbook monitoring on the **Playbooks** page: The monitoring feature lets customers use automation to its full capacity. This interface is displayed for each individual playbook.\n- Playbook side drawer on the **Cases** page: The summary feature minimizes the time that an analyst needs to get decisions when handling a case. This interface is displayed as a side drawer for each running playbook on the **Cases** page.\n\nPlaybook monitoring\n-------------------\n\n\nThe **Playbook monitoring** side drawer is available for each playbook on\nthe **Playbooks** page.\n\n\nYou can see the side drawer by clicking on the **Playbook monitoring** icon\nat the top right of the **Playbooks** page.\n| **Note:** The Playbook simulator needs to be turned off to see the **Playbook monitoring** side drawer.\n\n\nThe **Playbook monitoring** side drawer contains the following information:\n\n- **Runs** : How many times the playbook or playbook block ran during the defined time period. Thousands will be represented by a *K* . Millions will be represented by an *M*. If a playbook block is added as part of a playbook to an existing alert, the block won't be counted here.\n- **Redundant**: Number of times the playbook or playbook block didn't run in the predefined time period (because it exceeded the maximum number of playbooks (1) that can be automatically added to an alert). If the number is larger than 1 -- this could be a good indication to tweak the playbook -- maybe by using blocks or other logical steps.\n- **Closed alerts**: Percentage of alerts that were closed by this playbook.\n- **Average run time**: Average amount of time that this playbook took to run. This statistic can prove useful in identifying weak points in playbooks, such as manual actions and frequently-errored steps.\n- **Playbook runs status pie chart** : Shows four options. Options are **Finished Successfully** , **Failed** , **Waiting for User Action** , or **Terminated**. This chart shows you playbook statuses according to the defined time period and is cumulative. Each option is clickable and will take you to a search results page displaying the cases that this playbook with the specific status was attached to.\n- **Playbook trends line chart** : Shows completed runs, failed runs, terminated runs and a total of runs (both failed and successful). Hold the pointer over your mouse over each dot on the line to see a dialog showing more information. This chart can useful if a new playbook that you recently created is running as you've expected, or if an existing playbook that you recently improved was actually improved as you've expected or if more enhancements are needed in order to meet your expectations. For example, if you see that the playbook didn't run twenty times over the last month, you might then tweak the trigger logic to make the playbook more selective. You could then look at the **Playbook trends** line chart to check that the playbook ran successfully from that time onwards.\n- **Environments bar chart**: Displays all the environments that this playbook ran in. Each section is clickable and will take you to a search results page.\n\nPlaybook summary\n----------------\n\n\nGo to the **Cases** page. Select a case, click an alert, then click\nthe **Playbooks** tab. Click the hyperlinked playbook name on the left.\nThe playbook summary side drawer opens. This shows the following information:\n\n- Playbook name and status\n- Time and length of playbook run\n- **Pending actions**: If the playbook is waiting for the security engineer to do something, this will be displayed prominently at the top of the playbook summary. In addition, a push notification will be sent to the relevant user letting them know that the playbook is waiting for them.\n- **Integrations**: list of integrations being used by this playbook. When clicking on an integration, the specific step will be marked in the playbook viewer so that the analyst can find the step that they wants to focus on.\n- **Playbook flow**: each step that was run with its status and step result.\n- **Errors**: any errors will be listed here. If an error caused the playbook to stop it will be highlighted at the top of the summary, but if it was skipped, it will be at the bottom. Each error is clickable and will direct you to the logs page. You can also choose to rerun the action or playbook from here.\n\n\n\u003cbr /\u003e\n\n\n\u003cbr /\u003e\n\n**Need more help?** [Get answers from Community members and Google SecOps professionals.](https://security.googlecloudcommunity.com/google-security-operations-2)"]]
