Task 2. Configure playbook settings - Define playbook triggers, inputs and outputs, and general settings when you customize or create a new playbook. - Administrator Guide - Cortex XDR - Cortex

Task 2. Configure playbook settings - Define playbook triggers, inputs and outputs, and general settings when you customize or create a new playbook. - Administrator Guide - Cortex XDR - Cortex - Security Operations

Cortex XDR 5.x Documentation

Product

Cortex XDR

License

XDR + Cloud

Creation date

2025-07-13

Last date published

2026-06-11

Category

Administrator Guide

Abstract

Define playbook triggers, inputs and outputs, and general settings when you customize or create a new playbook.

After selecting the playbook you want to edit or after creating a new playbook, configure playbook settings as relevant, including:

Triggers: Define the condition applied to a specific issue that will trigger the playbook to run. Leave these settings empty to use the playbook as a sub-playbook or to only run the playbook manually. For more information, see Create an automation rule.
Inputs and outputs: Define and fill in input and output parameters required for the playbook to function correctly, grouping them as needed.
Playbook input and output grouping
Playbook input and output fields are collected into groups. This organizes the inputs and outputs, providing clarity and context to understand which inputs are relevant to which playbook flow.
Playbook group permissions
Users with permission to edit playbooks can add, edit, and delete groups and input and output fields. Users without this permission can only view groups, inputs, and outputs.
Work with playbook input and output groups
You can do the following with groups:
Add or delete a group. Deleting a group deletes all the fields defined in the group.
Change the name and/or description of the group.
Change the order groups appear by dragging.
Collapse and expand a group.
Manage input or output fields within a group
You can do the following with input or output fields within a group:
Add, edit, or delete fields within a group. Input or output fields are always part of a group.
Move fields between groups by dragging.
Change field order within a group by dragging.
General settings: Define roles for edit access and whether to run the playbook in Quiet Mode. In Quiet Mode, playbook tasks do not save inputs and outputs or extract indicators. Tasks are not indexed, so you cannot search on the results of the specific tasks. All the information is still available in the context data, and errors and warnings are written to the War Room.

How to configure playbook settings

In the playbook editor, click the settings wheel on the Playbook Starts task.
The Playbook Settings pane opens, showing the playbook name, description and tags at the top. You can edit these fields by clicking the pencil icon.
The pane opens with the Triggers tab on the bottom.
Note
If the playbook has inputs and outputs, the Playbook Starts task will show back and forth arrows. Clicking them opens the Playbook Settings pane Inputs/Outputs tab.
The playbook is by default Enabled. If the playbook is disabled, it will not run on an issue.
In the Triggers tab, under Automation Rules, define the rule that will trigger the playbook.
1. Click Add a rule.
2. Set the name and description for the rule.
  The Status is by default enabled.
3. Define the condition and select the issue to apply the condition to that will trigger the playbook.
  To add rule conditions, in the Issues table use the filter to select a field and its value or right-click on a table cell to select that field and value.
  For example, to define a trigger condition for Malware issues with severity Critical, find a Malware issue with Critical severity in the Issues table, right click the cell in the Name column and select Show rows with 'Malware', and right click the cell in the Severity column and select Show rows with 'Critical'. This sets the filter for this condition.
  Note
  For more information on Automation Rules, see Create an automation rule.
4. Click Create.
Note
This rule will trigger the playbook to run if no other Automation Rule triggers the playbook first. You can view and edit the order the rules run in the Automation Rules page.
Playbooks lists any playbooks that use this playbook as a sub-playbook.
In the Inputs/Outputs tab, add groups with input and output fields.
Add a group
Click + Add Input Group or + Add Output Group.
Enter a group name and description and click the check mark.
Add fields to the group.
Note
If you do not add any fields, the group will be deleted when you click Save.
Add an input field in a group
Within a group, click + Add Input at the bottom of the list of input fields. You may need to scroll down to see it.
Enter the input field Name (required), Value, and Description.
When you are done adding fields, click Save.
Add an output field in a group
Within a group, click + Add Output or + Add Manually at the bottom of the list of output fields. You may need to scroll down to see these options.
If you click + Add Output, select from the outputs from previous tasks.
If you click + Add Manually, enter the context path and description for the output.
When you are done adding fields, click Save.
In the General tab, configure the following:
- Add roles for edit access to the playbook.
- Optionally select Quiet Mode for playbooks with a heavy data load that might adversely affect performance.
  In Quiet Mode, playbook tasks do not save inputs and outputs or extract indicators. Tasks are not indexed, so you cannot search on the results of the specific tasks. All the information is still available in the context data, and errors and warnings are written to the War Room.
  In the War Room (under the Case War Room tab for cases, and the War Room tab for issues) you can run the !getInvPlaybookMetadata command to analyze the size of playbook tasks in a specific issue Work Plan to determine whether to implement Quiet Mode for playbooks or tasks.

Note

Note

Note

Note