PICERL is the SANS 504 acronym for incident handling process, and I how usually suggest customers structure new playbooks.

Mapping common playbook Actions (i.e. API calls) to this we can get a similar alignment:

Specialising in SOAR for 3-4 years, the most common playbook Actions per category are:

Enrich/DecorateEnrich Users (Active Directory, Google Workspace, AzureAD)
Enrich Assets (SQL database, asset management)
Enrich IOC (VirusTotal, MISP, etc)
Enrich the timeframe of the alert (check SIEM for 10 minute window)
Decorate the alert with maps, ASN
Send a question to involved user with clickable response
Send a question to involved user inviting free form responses
Enrich against change requests
InvestigateChecking automated enrichments
Follow documented processes (minimal viable ticket)
Analysing “hunch” work (additional dynamic investigation)
Communicate/collaborate with teams
DecissionHuman decision: true positive / false positive (free cookie if you can categorise as false negative)
RemediationDelete file
Quarantine endpoint
Reset password/account
Block IP/Domain
Continuous TriageThe playbook (and human analyst) should continuously rescore the alert as the enrichments come in
The playbook (and human analyst) reassign according to evidence
Reflect case handling stage (and in turn automatically change SLAs)
Checking the clock to reassign on shift patterns and/or OOH processes
Communications and Data Collection from end usersSend notifications to end users with state changes
Send a question to involved user with clickable response
Send a question to involved user inviting free form responses
Outsource tactical actionsOften smaller tasks are owned by other teams, either through technical limitations (limited licences) or political limitations (only a firewall team can touch the firewall).
Using communications we can Deputise vs Delegate these smaller tasks into other ticketing systems, and automatically the playbook will recognise and continue when these have been completed.
Searching sensitive mailboxes can only be done by HR?
Changes to policies in other business units
Rebooting/disconnecting for remote on prem equipment

Taking it further

The SANS cheatsheet (link top) has many actions/ideas I rarely see in deployments, but what could we do?

Forensics Memory capturesImagine calling APIs to snapsnot a VM and put that image into a container in cloud compute ready for analysis
Recovery PhaseUn-isolating a host then placing it in a partially connected network/vlan for 30 days with stricter controls and auto audit daily checks
Enrich from policiesChecking documented policy/process for more Alert insights
TrainingImagine using SOAR to trigger Phishing emails to staff then using a playbook to count how long it takes them to report vs a different team.

Or even further?