Add sub-playbooks - Using the Task Library, add sub-playbooks. - Administrator Guide - Cortex XSIAM - Cortex - Security Operations

Cortex XSIAM 3.x Documentation
Product
Cortex XSIAM
Creation date
2025-07-15
Last date published
2026-06-04
Category
Administrator Guide
Abstract

Using the Task Library, add sub-playbooks.

Sub-playbooks are playbooks that are nested under other playbooks. They appear as tasks in the parent playbook flow and are indicated by the sub-playbook icon sub-playbook-icon-2.png. A sub-playbook can also be a parent playbook in a different use case.

For example, IP Enrichment - Generic v2 and Retrieve File From Endpoint - Generic v3 playbooks are usually used as part of a bigger investigation.

Since sub-playbooks are building blocks that can be used in other playbooks and use cases, you should define generic inputs for them.

Inputs can be passed to sub-playbooks from the parent playbook, used and processed in the sub-playbook, and sent as output to the parent playbook.

Note

To modify the settings or task configurations for system playbooks (out-of-the-box playbooks), your role must have the Edit Public Playbooks permission enabled. If this permission is not enabled, system playbooks will remain read-only. For more information, see Manage access to playbooks and scripts.

  1. From the Task Library pane, click Playbooks.

  2. Find the relevant sub-playbook by either searching for a specific playbook by name in your Org repository from the Org Playbooks tab, or by adopting a playbook from the Playbooks catalog tab.

    You can sort alphabetically (ABC) or by Last Modified.

  3. Hover over the playbook you want and drag it onto the playbook editor.

    When you adopt a playbook from the Playbooks Catalog, installation may take some time.

    When you adopt a system playbook, it is locked and you can only make limited changes to the playbook settings from the Playbook Starts task. For full editing capabilities, click three-dots.png and select either Duplicate (create a copy of the playbook to edit) or Edit Playbook (detach the playbook). A detached playbook does not receive updates in future content releases. If you reattach the playbook, the latest content updates will be applied and any edits you made will be overridden.

    1. If after adopting a playbook you see a warning sub-playbook-icon-warning.png indicating the sub-playbook is not ready to use, click the playbook to open its Task Details pane.

    2. In the error message, click the Open it link to view the sub-playbook in a new tab in the playbook editor.

    3. Scroll through the sub-playbook. If there is a task that requires integration setup, click the task to open the Task Details pane and click the Create an instance now link.

    4. In the integration instance settings pane, enter values for the settings fields.

    5. Click Save & Exit for the integration instance.

  4. Configure the sub-playbook.

    1. In your main playbook editor, click the sub-playbook you added. The Task Details pane opens.

    2. Click the Open sub-playbook link to open the sub-playbook in a new tab. You can then view and edit the tasks in the sub-playbook.

    3. Click the curly brackets next to the sub-playbook name to select the data source for the sub-playbook.

    4. Configure the sub-playbook settings from the following tabs.

      Tab

      Settings

      Inputs

      Any required input arguments for the sub-playbook.

      Outputs

      Any outputs defined for the sub-playbook.

      Advanced

      • Skip this branch if this script/playbook is unavailable

      • Quiet Mode: Determines whether this task uses the playbook default setting for quiet mode. When in quiet mode, tasks do not display inputs and outputs or extract indicators. Errors and warnings are still documented. You can turn quiet mode on or off at the task or playbook level.

      Loop

      Click one of the following options to define loop settings:

      • None: (Default) The sub-playbook does not loop.

      • Built-in: Use built-in functions to define loop settings:

        Option

        Description

        Exit when

        Enables you to define when to exit the loop. Click {} and expand the source category. Hover over the required source and click Filter & Transform to the left of the source to manipulate the data.

        Equals (String)

        Select the operator to define how the values should be evaluated.

        Max iterations

        The number of times the loop should run.

        Tip

        Balance between the number of iterations and the interval so you do not overload the server.

        Sleep

        The number of seconds to wait between iterations.

        recommends that you balance between the number of iterations and the number of seconds to wait between iterations so you don't overload the server.

      • For each input: Runs the sub-playbook based on defined inputs. Enter the number of seconds to wait between iterations.

      • Choose Loop automation: Select the automation from the drop-down list to define when to exit the loop. The parameters that appear are applicable to the selected automation.

      For more information, see Configure a sub-playbook loop.

      Details

      Task description (Markdown supported): Displays a description for this playbook (if one exists).

      Timers

      • Timer.start: The trigger for starting to send a message or survey to recipients. You can change this trigger or add a trigger for Timer.stop or Timer.pause. Select the trigger timer field from the drop down.

      • Add Trigger: You can add other trigger timer fields from the drop down.

  5. Select whether the outputs of the sub-playbook are Shared globally or Private to sub-playbook (default).

  6. Click OK.

  7. Connect the sub-playbook you've added by dragging and dropping a wire.