Manually Run a Playbook on a Case or Alert

Instead of automatically running a playbook using triggers, run a playbook manually on a specific case or alert.

In a case or alert, click Actions, then select Run a Playbook.
Identify the playbook you're running. Playbooks are organized by trigger. You can only run deployed playbooks. You can't run draft playbooks. For each playbook, view:
- Playbook – Playbook name
- Created by – Who created the playbook. If the playbook is a pre-built playbook, Exabeam is listed.
- Update on – The date and time the playbook was lasted edited or cloned.
To quickly find a specific playbook, search for the playbook or filter by type:
- To search for a playbook, in Type to search, enter a query. You can search by playbook name, playbook type (advanced playbook or rule-based playbook), and the email of the person who created the playbook.
- To filter playbooks by type, next to Type:, click , then select All, Advanced, or Rule-based.
To view more details about a playbook, select the playbook. Under the Details tab, review the playbook logic. Under the History tab, view the playbook audit log.
For the playbook you're running, click Run.
Review the results of the run:
- 1 The date and time the playbook was run.
- 2 Who ran the playbook.
- 3 The case or alert ID. To copy the case or alert ID, click .
- 4 Whether the run succeeded or failed.
- 5 How long it took for the playbook to run.
- 6 Under the Graph tab, view the playbook itself, which steps were executed, and how long it took to execute each step.
- 7 Under the Details tab, view review each executed step, including the result of each step, how long each step took to run, and the step log.

Threat CenterThreat Center Guide

Table of ContentsTable of Contents

Manually Run a Playbook on a Case or Alert