Investigate an issue using Cortex Response and Remediation playbooks - How to investigate an issue using Cortex Response and Remediation playbooks - Administrator Guide - Cortex XDR - Cortex

Investigate an issue using Cortex Response and Remediation playbooks - How to investigate an issue using Cortex Response and Remediation playbooks - Administrator Guide - Cortex XDR - Cortex - Security Operations

Cortex XDR 5.x Documentation

Product

Cortex XDR

License

XDR + Cloud

Creation date

2025-07-13

Last date published

2026-06-11

Category

Administrator Guide

Abstract

How to investigate an issue using Cortex Response and Remediation playbooks

Issues help you to monitor and control the security of your system framework by alerting you to security risks in your framework. Cortex XSIAM generates issues from the following:

Agents
Firewalls
Analytics
Integrations

By analyzing an issue, you can better understand the cause of the issue, and take actions where required.

The Issues page displays a table of the issues associated with the incident. By default, the Issues page displays the security issues received over the last seven days. To see detailed information about an issue, click an issue to open the issue panel. You can then investigate the issue further by opening the issue investigation panel.

Go to Cases & Issues → Issues.
Click the issue and review the information in the issue side panel.
To see more information about the issue, click the Issue Overview tab.

The Cortex Response and Remediation playbooks are a series of tasks, scripts, conditions, commands, and loops that run in a predefined flow to save time and improve the efficiency and results of the investigation and response process. They enable you to automate many security processes, including handling investigations and managing tickets. In the Work Plan tab, you can select a playbook to run on the issue. You can watch the flow of the playbook as it automatically analyzes the issue.

Go to Cases & Issues → Issues.
Click the issue and review the information in the issue side panel.
In the Issue Investigation panel, click the Work Plan tab. A message appears that recommends which Cortex Response and Remediation playbook you should run on this issue.
Click Run. A single instance of the playbook will run.

An automation rule is a filter on an issue that creates conditions, so if an issue with specific characteristics is created (for example by source, severity, or MITRE TTP), a suitable response is issued via a playbook. This saves the analyst time and expense when investigating an issue.

You can assign a playbook to an issue so that whenever the same issue is triggered in the future, the same playbook will automatically run. You can add an automation rule from the Automation R Recommendations table. These playbooks are recommended to run whenever the issue is triggered. These recommendations are part of the Cortex Response and Remediation content pack.

Go to Investigation & Response → Automation → Automation Rules.
Click View Recommendations.
Select the automation rule you want and click Add selected rules.

After running the playbook, you can investigate an issue to gain more information about the cause of the issue, and take any actions required. In the issue investigation panel. The following tabs are common to most issue:

Tab	Description
Issue Overview	A summary of the issue, such as issue details, outstanding tasks, and indicators. Some fields are informational and some are editable. Includes the following sections (depending on the layout): ISSUE DETAILS: A summary of the issue, such as type, severity, and when the issue occurred. Update these fields as required. COMMAND AND TASK RESULTS: Lists any manual commands and playbook task results. WORK PLAN: When you click on the section, you can view or take action on the following: Playbook tasks: When a playbook runs, any outstanding tasks appear. You can take various actions here or in the Work Plan tab. To-Do Tasks: An ad-hoc item that is not attached to the Work Plan. Create tasks for users to complete as part of an investigation. These are like a To-Do list that you keep in an investigation on an ad-hoc basis rather than the Work Plan which follows a pre-defined process. You can view or create To-Do tasks. NOTES: Helps you understand specific actions taken, and allow you to view conversations between analysts to see how they arrived at a certain decision. You can see the thought process behind identifying key evidence and identifying similar incidents. MALICIOUS OR SUSPICIOUS INDICATORS: A list of any malicious or suspicious indicators. If you have the Threat Intel add-on you can pivot to the Indicators page, where you can take further action on the indicator.
Technical Information	Displays an overview of the information collected about the investigation, such as indicators, email information, URL screenshots, etc. When you run a playbook, the sections are automatically completed.
Investigation Tools	Enables you to take action on the issue , such as converting a JSON file to CSV and check if the IP address is in CIDR.
War Room	A comprehensive collection of all investigation actions, artifacts, and collaboration. It is a chronological journal of the issue investigation. Each incident has a unique War Room. For information, see Use the War Room in an investigation.Use the War Room in an investigation
Work Plan	A visual representation of the running playbook that is assigned to the incident. For more information, see Use the Work Plan in an investigation.Use the Work Plan in an investigation

Use the following steps to investigate and triage the issue:

Review the data shown in the issue such as the command-line arguments (CMD), process info, etc.
Analyze the chain of execution in the causality view.
When the app correlates an issue with additional endpoint data, the Issues table displays a green dot to the left of the issue row to indicate the issue is eligible for analysis in the causality view. If the issue has a gray dot, the issue is not eligible for analysis in the causality view. This can occur when there is no data collected for an event, or the app has not yet finished processing the EDR data. To view the reason analysis is not available, hover over the gray dot.
Review the timeline of the sequence of events over time. The timeline is available for issues that have been stitched with endpoint data.
If deemed malicious, consider responding by isolating the endpoint from the network.
Remediate the endpoint and return the endpoint from isolation.