Execution History
View all playbook executions with a full audit trail. The execution history provides visibility into every automated action taken across your environment, enabling accountability and troubleshooting.
History Record Details
Each execution record captures the complete lifecycle of a playbook run:
| Field | Description |
|---|---|
| Trigger Event | The event that initiated the playbook (alert, schedule, manual) |
| Timestamp | Exact date and time of execution start and end |
| Affected Resource | User, device, or resource acted upon |
| Actions Taken | List of each action with individual success/failure status |
| Duration | Total time from trigger to completion |
| Errors | Error details and rollback information for failed actions |
Execution Statuses
| Status | Meaning |
|---|---|
| Succeeded | All actions completed successfully |
| Failed | One or more actions encountered errors |
| Partial | Some actions succeeded, others failed or were skipped |
| Pending Approval | Paused at an approval gate awaiting human confirmation |
| Rolled Back | Actions were reversed due to failure or manual intervention |
Filtering and Search
Filter execution history by:
- Playbook — View executions for a specific playbook
- Status — Filter by Succeeded, Failed, Partial, or Pending
- Date range — Specify start and end dates
- Tenant — Filter by specific managed tenant
- Trigger type — Event-driven, scheduled, or manual
Example Execution Timeline
A typical Compromised User Response execution:
- Trigger — High-risk sign-in detected for user@contoso.com
- Action 1 — Block user sign-in immediately (Succeeded, 2s)
- Action 2 — Revoke all active sessions (Succeeded, 3s)
- Action 3 — Reset password and require MFA re-registration (Succeeded, 5s)
- Action 4 — Create ticket and notify SOC team (Succeeded, 1s)
- Total Duration — 11 seconds
Audit Trail
The execution history serves as a complete audit trail for compliance:
- Every trigger event is logged with source details
- Each action records the before and after state
- Approval decisions include approver identity and timestamp
- Rollback events document what was reversed and why
- All records are immutable and tamper-evident
Export Options
Export execution history for reporting and compliance:
- Full Report — All executions with detailed status and action logs
- Failures Only — Executions that failed, with error messages and context
- Audit Log — Operation timeline with timestamps for compliance reporting
- CSV Export — Tabular format for spreadsheet analysis
Retention
Execution history records are retained based on your configuration:
- Default retention: 90 days
- Extended retention available for compliance requirements
- Exported reports are retained independently of history retention settings
API Reference
GET /api/automation/executions— List execution historyGET /api/automation/executions/:id— Get execution details with full action logGET /api/automation/playbooks/:id/executions— Get executions for a specific playbookGET /api/automation/executions/:id/actions— Get individual action resultsPOST /api/automation/executions/export— Export execution history
Last updated on