Solved

Playbook Triggering Based on Case State, Alert Changes, and Enrichment Context

Forum|Forum|1 month ago
April 7, 2026
8 replies
150 views

LenaLSG
Bronze 3

At present, playbooks can only be triggered based on information available at the time a case is created, such as initial case fields or other creation‑time metadata. This is a significant limitation, as it prevents triggering playbooks based on later context, including alert data from additional systems, case stage changes, enrichment results, or information added manually by an analyst.

As a result, it’s difficult to design playbooks that respond dynamically as a case evolves, which is a common requirement in real‑world SOC workflows.

Based on the discussion in Unable to trigger playbook when case is set to notify (linked above), it sounds like expanded triggering capabilities are planned for Q2 this year. Is there any additional clarity on what functionality this feature will include, and whether there is a more specific timeframe for its release?

In the meantime, is there a recommended workaround from Google to address this limitation, or is manually attaching playbooks to cases currently the only viable option?

Best answer by AymanC

Hi @LenaLSG,

May be a bit overkill, but could you create a custom action which acts as a job which runs every X minutes, identifies cases that are of a certain case stage using the endpoint 'api/external/v1/search/CaseSearchEverything', and then for each of those cases use ‘/api/external/v1/dynamic-cases/GetCaseDetails/{caseId}’ to return details on the case and for certain actions to be performed on the output of this?

Kind Regards,

Ayman

+12

_K_O
Bronze 5
Forum|Forum|1 month ago
April 8, 2026

Hi @LenaLSG ,

I can’t comment on timelines, but I agree that it’s a limitation. My team currently uses a combination of Quick Actions and Async Pending Actions.

+14

AymanC
Bronze 5
Answer
Forum|Forum|1 month ago
April 9, 2026

Hi @LenaLSG,

Kind Regards,

Ayman

AnimSparrow
Bronze 2
Forum|Forum|1 month ago
April 13, 2026

quick action button OR jobs that will run every X minutes and apply playbook based on status:

here is a glance how to achieve something like this

in short, create job that will gather cases since X days and check their stages and IF stage is XYZ run playbook

LenaLSG
Author
Bronze 3
Forum|Forum|1 month ago
April 14, 2026

Thanks all for the useful responses. We’ve created a solution for now that uses the delay playbook action from the official tools integration by Google.

We’ve tested this and it appears to work effectively for our needs of reattaching a playbook or triggering a block after a delay or several hours or even days. However, if this proves unreliable, we intend to create a custom job to handle the task.

Ryant
Bronze 1
Forum|Forum|2 days ago
May 20, 2026

Thanks all for the useful responses. We’ve created a solution for now that uses the delay playbook action from the official tools integration by Google.

Do you mind providing details on how you accomplished this as a workaround? We too want to initiate a playbook on a specific entity such as an individual IP address on the case rather than applying the playbook to every IP address on the case

JensW
Bronze 2
Forum|Forum|1 day ago
May 21, 2026

Check out this feature: Use reaction triggers in playbooks | Google Security Operations | Google Cloud Documentation

Ryant
Bronze 1
Forum|Forum|1 day ago
May 21, 2026

I really like the sound of this. I dont yet have access to this feature in our environment, but can certainly see some of my use case obtacles being solved with this.

AnimSparrow
Bronze 2
Forum|Forum|1 day ago
May 22, 2026

Check out this feature: Use reaction triggers in playbooks | Google Security Operations | Google Cloud Documentation

this one sound amazing, how to receive it? we have not yet this option visible on our instance

Sign up

Login with SSO

Login to the community

Login with SSO

Scanning file for viruses.

This file cannot be downloaded