Skip to main content

Behavior of Playbook priority

  • February 2, 2022
  • 4 replies
  • 11 views
M
Forum|alt.badge.img+1

Anyone knows what the exact behavior of "Playbook priority" is or how it is used? Cannot find too much on it in the manual.

    4 replies

    A
    • Anonymous
    • February 2, 2022

    Since you should have up to a single automated playbook attached to an alert (during ingestion - After ingestion you can attach more) and more than one playbook might match trigger criteria, there should be a way to tell the system which one should be attached. Thats the priority

    M
    Forum|alt.badge.img+1
    • Mate_Racz
    • Author
    • New Member
    • February 2, 2022

    Thank you!

    M
    Forum|alt.badge.img+6
    • Marek_Kreul
    • New Member
    • February 2, 2022

    @Yair Stern we have a 5.5.3 instance with some Prio 1 playbooks having very specific triggers, and a Prio 2 playbook having a rather "catch-all" trigger.
    On 5.6, only the correct specific playbook has been attached if a trigger matched, and the Prio 2 playbook has been attached if none of the Prio 1 playbook triggers matched.
    On 5.5.4, however, this did not work, instead both the Prio1 and the Prio2 playbook were automatically attached.
    Can this be a bug, or was the behaviour changed beginning with 5.6?

    A
    • Anonymous
    • February 2, 2022

    @Marek Kreul I think its best you consult our support.
    However, as far as I know, the original maximum amount of playbooks to be attached automatically (at alert ingestion) for alert was originally 3 alerts and only quite recently reduced to 1, shortly after the introduction of playbook blocks. Can't say for sure on exactly which version though...

    Terms & ConditionsCookie settingsAccessibility statement
    Privacy Policy Terms of Service Gen AI Policy Community Guidelines Cookie Settings

    © 2025 Google. All rights reserved.