Hey,

There's a couple of ways you can achieve testing here - I'll start with the first you mention "Manual Case".

If you use the UI to generate the manual Case - there is a section to chose the playbook to add to the alert when it is generated here:

This will generate you a manual case with the attached playbook you have selected.

If you are looking to to test the playbook with real data - I would suggest simulating a case instead. You can create your own simulated cases by clicking "simulated cases" under create manual case - and then pressing the "+" symbol in the top right of the window - from here - you can either import a case JSON or make your own data up. Once you have either imported or made your own simulated case - it is as simple as selecting the alert you wish to simulate and clicking the simulate button. This should ingest the simulated case through the case pipeline and as such work with any triggers/playbooks which are turned on and functioning.

Finally - a quick way to produce a test case in the queue is to use the "ingest as test case" feature - if you find an alert you wish to keep testing you can utilise the functionality from the Case UI here:

This will reingest the data in the alert - again through the case pipeline - attaching a playbook where necessary.

These are all UI implementations of testing - if you are using the API for manual cases you will need to ensure you are adding the playbook ID to the playbooks array as part of the manual case payload below:

To find this ID - you can use the API endpoint with a GET request: "api/external/v1/playbooks/GetWorkflowMenuCardsWithEnvFilter?format=camel"
Which will list all playbooks with their names and associated ID's - or you can use Chrome DevTools:
- Open DevTools, and click on the network tab
- visit the playbooks tab in SecOps SOAR
- Click the Playbook you want the ID for

In the network tab their will be a call to