Protect and automate

Playbooks

Configure source-aware workflows that distribute issues, notify administrators, remediate supported risks, or enforce browser controls.

Reviewed Jul 12, 2026 · Product

Overview

Playbooks are configurable workflows attached to an elba security module. A workflow starts with a supported detection, applies the conditions you select, and performs the action shown in the editor.

The available triggers, conditions, and actions depend on the module, connected source, and source capabilities. Treat the options displayed in the playbook editor as the source of truth for your organization.

Open Playbooks

Sign in to the EU admin portal or US admin portal, then open Security, choose a module, and select Playbooks.

Playbooks currently appear under:

  • Data Protection
  • Third-Party Apps
  • Authentication
  • Browser Security

There is no separate global Playbooks page. Each module owns its available starter templates and configured workflows.

How a playbook works

Trigger

The trigger identifies the product event the workflow evaluates. Current trigger families include:

  • An externally shared object in Data Protection
  • A detected third-party application, CVE, or data breach in Third-Party Apps
  • An account using the wrong authentication method in Authentication
  • Supported browser findings, such as sensitive input, sensitive file upload, potential data exfiltration, or access to an unauthorized application

The selected source can change which triggers are available.

Conditions

Conditions narrow the workflow to the relevant findings. Depending on the trigger and source, the editor can offer conditions based on members, groups, issue dates, data-sharing or content attributes, application attributes, or browser-finding details.

Some conditions are evaluated when a finding is created; date-based conditions can be evaluated later. A workflow only acts when its configured conditions match.

Action

The editor only offers actions supported for the selected trigger and source. Current action types include:

  • Distribute issue to make a supported issue available to the affected employee
  • Notify admins using the configured organization or per-user communication channel; the workflow can target selected administrators where that option is available
  • Remediate issue for a source-supported permission or account action
  • Block browser action for supported sensitive-input or file-upload findings
  • Block page access for supported unauthorized-application findings

Some issue-distribution workflows can add remediation after a configurable waiting period. Review the exact period and source-changing action in the editor before activation.

Behavior by module

Data Protection

Data Protection playbooks evaluate detected external-sharing issues. They can distribute matching issues to employees and, for sources that expose the required capability, add a remediation action. Conditions can cover sharing, content, risk, age, format, tags, members, groups, and issue state when those fields are available for the selected source.

See Data Protection for issue investigation and employee remediation behavior.

Third-Party Apps

Third-Party Apps playbooks can distribute detected application issues or notify administrators about supported CVE and data-breach events. Application, publisher, reputation, permission, compliance, hosting, AI, member, group, and issue conditions are available only where the selected trigger supports them.

See Third-Party Apps for the inventory and issue workflow.

Authentication

Authentication playbooks can distribute supported wrong-authentication-method issues. The configured workflow and connected identity source determine which accounts are evaluated and what employee action is available.

See Identity and access reviews for related account-review workflows.

Browser Security

Browser Security playbooks work with findings reported by an enrolled browser extension and a connected browser source. Depending on the trigger, a workflow can block a supported browser action or page, or notify administrators. Member, group, AI-tool, and exfiltration-severity conditions are available for the relevant browser triggers.

The browser extension caches the active blocking workflows for the signed-in user. A newly activated or edited workflow can therefore take effect after the extension refreshes its configuration rather than at the exact moment the admin saves it.

See Browser extension capabilities for the supported controls and prerequisites.

Create or update a playbook

  1. Open the relevant module's Playbooks tab.
  2. Choose a starter template, or open an existing workflow.
  3. Select the connected source and review the trigger.
  4. Add only the conditions needed for the intended scope.
  5. Review the action, recipients, and any waiting period shown in the editor.
  6. Save the workflow as a draft or activate it.
  7. Return to the module's Playbooks list to review its status, then use the module's issue or action history where available.

Configured workflows can be Draft, Active, or Paused. A source connection error is also surfaced in the Playbooks list because it can prevent the workflow from completing source-dependent work.

Safe rollout

  1. Review representative findings before creating an automation.
  2. Start with a narrow member, group, source, or risk scope.
  3. Confirm notification recipients and employee communication settings.
  4. Test source-changing or blocking behavior with a controlled group.
  5. Review the workflow activity and affected issues before expanding its scope.
  6. Pause the workflow if the connected source changes or results differ from the intended policy.

Detection, notification delivery, and source remediation depend on connected services and their current health. For an urgent incident, verify the result in the source system instead of relying on a playbook as the only response control.

On this page