Problem Statement
In Google Chronicle SecOps (SOAR), there is ambiguity in how Playbook executions (“playbook runs”) versus Action executions (“action runs”) are represented and counted in Playbook logs.
This ambiguity becomes more pronounced in scenarios where:
- Multiple alerts are correlated into a single case
- Each alert has a playbook attached
- Each playbook contains multiple actions, integrations, and flow logic
As a result, it is unclear whether:
- A “playbook run” is counted once per alert, once per case, or once per action
- Action execution counts can be reliably used to infer playbook execution counts
- Existing Chronicle logging fields can be used to accurately distinguish playbook‑level runs from action‑level runs
This lack of clarity makes it difficult to build accurate metrics for automation coverage, playbook effectiveness, and SOAR ROI reporting.
==============================================================
The intent is to clearly understand:
- The conceptual difference between a Playbook and an Action in Chronicle SecOps
- How Chronicle internally logs and counts:
- Playbook executions
- Action executions
- How playbook execution counts behave in multi‑alert → single‑case correlation scenarios
- Whether Chronicle provides a native or query‑based method to reliably calculate:
- Total playbook runs
- Total action runs
- Whether identical counts for playbook and action executions in logs is expected behavior or a misinterpretation of the data
Example from Environment
Query showed case id having 5 playbook runs and 5 action runs. When seen inside the case mgmt. view it states 1 case → 1Alert → 1 Playbook. (Refer to the snip attached below)
