Subscribe to the Taegis™ XDR Documentation RSS Feed at .

Learn more about RSS readers or RSS browser extensions.

Playbooks Overview

automation playbooks

In Automation, a playbook defines what actions to take and when to take them using one or more configured connections. This allows actions to be performed in your environment automatically based on your configuration. Playbooks are defined through playbook templates, some of which are provided by Secureworks, and some of which may be defined by your organization.

Example of a Completed Playbook

Example of a Completed Playbook


Each playbook has built-in documentation that walks through the steps to create a new playbook. Select Documentation from a playbook template or configured playbook in XDR to open this in a new tab and follow the guidance there.

What Makes up a Playbook?

Playbooks are made up of a few essential components:

Playbooks can be triggered by the Taegis™ XDR platform, by a user (as an action), or manually.

Required Connections

A typical playbook template contains one or more tasks, each of which calls upon a connector action. For that reason, most playbook templates require a connection to a connector that performs that action. When creating or configuring a playbook template, you must select a single connection for each connector that the template requires.


Connectors and connections are versioned. The version of the selected connection must match that of the connector that the template requires.


A playbook by itself doesn’t provide any value until it is executed. Triggers within Taegis™ XDR are what typically cause the playbook to execute.

Trigger Type

There are two types of triggers currently supported by Taegis™ XDR:


All triggers contain a source. A trigger source defines the context within the Taegis™ XDR in which the trigger may be exposed to the end user. The trigger source also determines what data the playbook will receive as input.

Platform: Event

Platform triggers require the end user to define the event that will cause the playbook to execute. These events include create, update, and delete. This event applies within the source defined above. For example, a platform trigger with an alert2 source and a create event would cause the playbook to execute when an alert is created.

User-initiated: Category

Category defines the type of user-initiated trigger. The category is used to define where the user-initiated action appears within Taegis™ XDR. There are currently two supported values: Response Action and Lookup Contextual Information.

User-initiated: Name

The Name field on a user-initiated trigger allows the end user to define the name for the action within a menu in Taegis™ XDR.

Trigger Filter

The Trigger Filter field allows the end user to define custom criteria that must be true in order for the playbook to execute (if platform type) or for the action to appear (if user-initiated type). This field supports the Common Expression Language (CEL) as well as the inputs as defined by the source selected for the trigger. This field is not evaluated if the playbook is executed manually.


Alert triggers are currently limited to High and Critical severity.


Templates may require one or more inputs in order to configure the playbook to run as desired. Each template will contain documentation that describes the required inputs in more detail.

View Playbooks Overview

To view a summary of playbooks:

  1. From the Secureworks® Taegis™ XDR side menu bar, select Automations > Playbooks.

  2. The Playbooks overview is displayed.

The summary cards at the top of the Playbooks overview display the following counts:

Use the date/time picker to change the displayed time period.

Playbook Summary Cards

Playbook Summary Cards


On this page: