At present, playbooks can only be triggered based on information available at the time a case is created, such as initial case fields or other creation‑time metadata. This is a significant limitation, as it prevents triggering playbooks based on later context, including alert data from additional systems, case stage changes, enrichment results, or information added manually by an analyst.
As a result, it’s difficult to design playbooks that respond dynamically as a case evolves, which is a common requirement in real‑world SOC workflows.
Based on the discussion in Unable to trigger playbook when case is set to notify (linked above), it sounds like expanded triggering capabilities are planned for Q2 this year. Is there any additional clarity on what functionality this feature will include, and whether there is a more specific timeframe for its release?
In the meantime, is there a recommended workaround from Google to address this limitation, or is manually attaching playbooks to cases currently the only viable option?