Skip to main content
Question

How to add SOP/Runbook to a case

  • June 29, 2026
  • 0 replies
  • 0 views

skadav
Forum|alt.badge.img+10

I'm trying to create a comprehensive investigation guide for SOC analysts that helps them work through cases consistently and efficiently. We already have well-documented SOPs and alert-specific runbooks, but they're separate from the case workflow.

My goal is to integrate the relevant SOP/runbook directly into the case so that, when an analyst opens a case, they immediately see the investigation steps, required checks, and recommended actions in the case overview itself. This would reduce context switching and help ensure investigations follow a standardized process.

Has anyone implemented something similar? If so:

  • How did you integrate your runbooks into the case workflow?
  • Did you use playbooks, case templates, checklists, or another approach?
  • What worked well, and what challenges did you face?

I'd appreciate any suggestions, examples, or lessons learned. Thanks in advance!