← Back to Blog

March 10th, 2025

Playbooks Expand Automation in the SecOps Cloud Platform

Daniel Ballmer
blog post header image

Don’t let the “play” in LimaCharlie’s new Python playbooks fool you, they will do serious work for your business.

What Are LimaCharlie Playbooks?

LimaCharlie Playbooks expand the use of Python in the SecOps Cloud Platform (SCP), letting users reduce the learning curve for leveraging advanced capabilities in our platform. While the current format of our detection and response rules remain highly effective, our playbooks make much of the same functionality available to Python scripts. Playbooks also give users extreme control and granular functionality over certain operations that LCQL does not.

On the granular level, playbooks are a python script written with a specific function name. A playbook receives an instance of the LimaCharlie SDK that is pre-authenticated according to a customer’s requested credentials. Once authenticated, the playbook executes whatever activity it is programmed to perform. For more technical details on playbooks, read the official LimaCharlie Playbooks documentation.

Why Playbooks?

As with most things on the SCP, playbooks can be as useful and powerful as you need them to be. What are some potential use cases for them? A playbook could be written to create a JIRA ticket from an SCP detection. They could be written to perform in-depth analysis on certain detections to provide greater context or additional insights. Playbooks are also excellent candidates for regular, scripted activity across tenants. For example, perhaps once a week you would like to check a particular status on all sensors. With playbooks, you can use Python to interact with anything on the platform that has an API.

When Do They Run?

A playbook can be triggered through multiple avenues in the SCP. These include:

  • Manually through the web GUI

  • Through a rest API

  • With detection and response (D&R) rules

  • Through another playbook

What Do They Return?

Playbooks return:

  • A dictionary of data to the caller

  • An error message (as a string)

  • A dictionary usable as a detection

  • A string to use as the category for a detection (if detection is specified)

Operational Details

Playbooks have access to the vanilla Python deployment in the SCP. Further libraries may be added upon customer request. You can manage playbooks via API, SDK, and infrastructure-as-code, deploying them across all tenets if you wish. A playbook’s code executes when its function is called. Playbooks can also execute according to a scheduled time, but they do not support on-going background operations. In fact, each playbook execution is capped with a maximum run time of 10 minutes.

Availability in LimaCharlie Labs

Playbooks is our first extension to be featured as part of LimaCharlie Labs. LimaCharlie Labs represent early-stage capabilities that are available to our users. These capabilities are often prototypes that lack common features (like a polished user interface). However, they will provide new value to users and, based upon customer feedback, may be developed further.

Pricing

Playbook executions are billed on a per-second basis.

To learn more about LimaCharlie's Playbooks, book a demo.

Copyright © LimaCharlie 2025