A playbook is built on triggers, actions, and flows. When it's triggered, the
playbook progresses through actions to reach a final resolution. The flow of control
runs from left to right, beginning with a defined
trigger
(yellow box) as the first component, which is mandatory. It then moves to the
second component that can be a set of defined
actions
the playbook must perform (blue box). The last component involves determining
the
flow
of the playbook with an if-then-else condition (purple box).
Open the playbooks page
To open the Playbooks page, go to Response >
Playbooks.
The following actions are available:
Plus : Add a new playbook or block. Select the folder and
environment for the playbook or block. You can select one or multiple
environments and environment groups, or a combination of both. Even if a
playbook is associated with a specific environment group, the associated
environment group's scope can still be changed and the playbook's scope
automatically updates to match the new environment group scope.
Edit : Select single or multiple playbooks and
blocks for use with the Actions menu. To edit the folder name, click
Edit, and click and hold the pointer over the name, and then
change the folder name. Hold the pointer over the name, click it, and enter
the new name. Once you the edit a playbook, you can delete playbooks, as needed.
Filter : Click
filter_alt
Filter to filter the display based on the following criteria:
Playbook simulator is on toggle
Show Active Playbooks toggle
Priority: Set the attachment order of playbooks for the alert.
Only one playbook attaches automatically, based on priority.
Environments (multi-select option for environments and environment groups)
Menu : click
edit
Edit and select the required playbooks or blocks before using Menu to perform bulk actions:
New Folder: Add a new playbooks folder; the playbook automatically inherits any changes made to its associated environment groups. Playbooks associated with environment groups can be applied to cases originating from any environment within those groups.
Duplicate: Create a duplicate playbook with these options:
Keep or change priority
Keep in same folder or move to a different folder
Single, multiple, or all environments, where all
indicates all defined environments, present or future.
Export and Import: Transfer playbooks and playbook blocks between
staging and production servers. Playbooks are exported or imported with
their customized views included. The system accepts only ZIP files for import.
Move to: Move playbooks and blocks to a different folder, or
create a new folder.
Delete: Delete playbooks and blocks. After you click the Edit icon, you can delete playbooks.
Top section of Playbook Designer
The top section of the Playbook Designer pane features a horizontal toggle to
enable or disable the playbook. It also displays a summary, including the
playbook name, creator's name, creation timestamp, associated environment,
and a brief description. You can also activate the simulator and add a
customized view.
Using the Playbook Designer's features, you can do the following actions:
Icon
Description
Open Step Selection: opens a side drawer with available
Triggers, Actions, Flow, and Blocks.
Fits to screen: automatically adjusts the playbook to fit entirely on the screen.
Reverts the playbook to its default arrangement.
Zoom: zooms in to one or multiple steps in the playbook.
Download the playbook as a PNG file.
Undo reverts any changes that you have made.
Redo redoes any changes that you have previously undone.
Playbook monitoring: displays the individual playbook statistics.
Playbook Navigator: displays all playbook actions and flows.
[[["Easy to understand","easyToUnderstand","thumb-up"],["Solved my problem","solvedMyProblem","thumb-up"],["Other","otherUp","thumb-up"]],[["Hard to understand","hardToUnderstand","thumb-down"],["Incorrect information or sample code","incorrectInformationOrSampleCode","thumb-down"],["Missing the information/samples I need","missingTheInformationSamplesINeed","thumb-down"],["Other","otherDown","thumb-down"]],["Last updated 2025-08-25 UTC."],[[["\u003cp\u003ePlaybooks in Google SecOps SOAR are built using triggers, actions, and flows, executing from left to right, starting with a trigger.\u003c/p\u003e\n"],["\u003cp\u003eThe Playbooks page, accessed via \u003cstrong\u003eResponse > Playbooks\u003c/strong\u003e, allows users to add, edit, filter, and manage playbooks and blocks.\u003c/p\u003e\n"],["\u003cp\u003eUsers can duplicate, export, import, move, and delete playbooks and blocks, with options to manage environments and environment groups.\u003c/p\u003e\n"],["\u003cp\u003eThe top bar of the Playbook Designer enables users to toggle the playbook on/off, view its summary, and access tools for step selection, resizing, downloading, and more.\u003c/p\u003e\n"],["\u003cp\u003eThe playbook designer includes features like Playbook Monitoring and Playbook Navigator, and allows users to adjust priority, and customize alert views.\u003c/p\u003e\n"]]],[],null,[]]