The engine that powers Chronicle SOAR Orchestration and Automation was designed to automate tasks and playbooks on alerts or grouped cases.

The Playbooks engine runs in parallel, triggering playbooks according to user defined logic. Playbooks are attached to alerts, meaning that a case with 4 alerts might have 4 different playbooks running (one or more for each alert). All automation parts are executed at this stage and the results are pushed to the next module for storage. The steps of the playbook are executed in an isolated context to prevent unwanted or harmful actions to the system.

Multiple instances of the playbooks engine can run in parallel, either on a single or multiple Chronicle SOAR nodes, to allow scaling out.