In Microsoft Sentinel, automation of routine or repetitive SOC tasks is delivered through playbooks. Microsoft’s Sentinel guidance defines playbooks as “collections of procedures that can be run from Microsoft Sentinel in response to an alert or incident.” They are “built on Azure Logic Apps” and enable teams to “automate and orchestrate responses to threats” such as enriching incidents, opening tickets, notifying responders, quarantining entities, or blocking indicators. The documentation further clarifies that automation rules can “trigger playbooks automatically based on analytics alerts or incident conditions,” allowing consistent, scalable actions without manual intervention. By contrast, workbooks provide “data visualization and reporting” for analysis; hunting search-and-query tools (built on KQL) are used to “proactively hunt for threats”; and deep investigation tools assist analysts during incident investigation. Therefore, when the goal is to automate common tasks—for example, sending incident notifications, enriching with threat intelligence, or creating tickets in ITSM—the correct capability in Microsoft Sentinel is playbooks, because they encapsulate repeatable response procedures and can be executed automatically via automation rules or manually from incidents, alerts, or entities.