Procedure

1. Go to Workflow and Automation → Security Playbooks.
2. On the Playbooks tab, choose Add → Create playbook.
3. On the Playbook Settings panel, select the Risk events type, specify a unique name for the playbook, and click Apply.
4. On the Trigger Settings panel, select the trigger type and click Apply.
   • Manual: Allows you to start the playbook execution by clicking the Run icon ()
   • Scheduled: Allows you to schedule the playbook to run hourly, daily, weekly, or monthly

   Important To create Security Awareness Training Campaign playbooks, make sure that the trigger type is set to Manual or Scheduled with the Frequency set to Monthly.

5. On the Target Settings panel, select and configure the Target for the playbook and click Apply.
   You can add a maximum of 10 Target nodes for each Security Awareness Training Campaign playbook.
   1. In the Risk factor drop-down list, select Account compromise or XDR detection from the Risk factor drop-down list.
   2. In the Risk event drop-down list, select the risk events for which the user accounts need to receive the necessary training.

      Important If you select All risk events, the playbook target automatically includes any future risk events associated with the selected risk factor. Only risk events with New and In progress states trigger playbook actions.

   3. In the Risk level drop-down list, select the risk levels of the risk events.
6. If you need to take actions when specific conditions are met, configure the Condition node.
   1. Click the add node () on the right of the Target node and click Condition.
   2. Create a condition setting by specifying the Parameter, Operator, and Value.
      • IS: The condition is triggered if any of the values is matched
      • IS NOT: The condition is triggered if none of the values is matched
   3. Click Apply.
   4. If you need to add more than one parallel Condition node, click the add node () on the right of the Target node.
   5. If you need to configure action settings for the Condition node, add an Action node by clicking the add node () on the right.
      For details, see Step 7.
   6. If you need to configure else-if conditions or else actions, add an Else-If Condition or Else Action node by clicking the add node () under the Condition node.
      For details, see Step 9.
7. Configure actions by adding an Action node.
   1. Click the add node () on the right of the Condition node and click Action.
   2. On the Action Settings panel, select Create training campaign and configure the training campaign settings.

      Setting	Description
      Training program	The training program you want to use for the campaign For more information about the training programs, see Get started with training campaigns.
      Category	The category of the training program you selected
      Campaign duration	The length of time the campaign will run

   3. Select whether to send a notification to request manual approval to create general actions, and then configure the notification settings if you require manual approval.

      Note Actions pending manual approval for over 24 hours expire and cannot be performed.

      Setting	Description
      Notification method	Email: Sends an email notification to specified recipients Webhook: Sends a notification to specified webhook channels
      Subject prefix	The prefix that appears at the start of the notification subject line
      Recipients	The email addresses of recipients The field only appears if you select Email for Notification method.
      Webhook	The webhook channels to receive notifications The field only appears if you select Webhook for Notification method. Tip To add a webhook connection, click Create channel in the drop-down list.

   4. Click Apply.
   5. If you need to add more than one parallel action, use the add node () on the right of the Target or Condition node.
8. Configure notification settings by adding the second Action node.
   1. Click the add node () on the right of the first Action node and click Action.
   2. On the Action Settings panel, specify how to notify recipients of the playbook results.
   3. For email and webhook notifications, configure the following settings.

      Note ServiceNow ticket notifications are not available to send playbook results.

      Setting	Description
      Subject prefix	The prefix that appears at the start of the notification subject line
      Recipients	The email addresses of recipients The field only appears if you select Email for Notification method.
      Webhook	The webhook channels to receive notifications The field only appears if you select Webhook for Notification method. Tip To add a webhook connection, click Create channel in the drop-down list.

   4. Click Apply.
9. Configure Else-If Conditions or Else Actions if necessary.
   1. Click the add node () below the Condition node and click Else-If Condition or Else Action.
   2. Configure a Condition node by following Step 6 or an Action node by following Step 7 or Step 8.

   Note The nodes that can be added by using an add node () vary depending on the preceding node. For example, an Action node can only be possibly followed by another Action node; a Condition node can be followed by an Action node or have an Else-If Condition or Else Action attached to it. When a condition is false, the playbook performs the Else Action or checks if its Else-If Condition is met. If the Else-If Condition is met, the playbook continues to perform the corresponding Else Action. Multiple Action nodes configured in a serial mode are taken sequentially.

10. Enable the playbook by toggling the Enable control on.
11. Click Save.
    The playbook appears on the Playbooks tab in the Security Playbooks app.