Learn how to build playbooks in Cortex XSIAM.
Depending on your use case, you can use or customize a system playbook or develop a new playbook from scratch.
Developing a new playbook from scratch enables a tailored solution for your use case, whereas customizing a system playbook can save time, reduce complexity, and be a more efficient way to meet your organization's specific security and issue response needs.
Important
The ability to create, edit, or share custom playbooks is governed by access management. If certain options are unavailable, contact your administrator. For more information, see Manage access to playbooks and scripts.
Follow these steps to build a playbook.
Task | Description | See More |
|---|---|---|
Task 1. Choose from existing playbooks or create your own | Search for an out-of-the-box playbook to use, customize it, or create one based on your use case. | See topic. |
Task 2. Configure playbook settings | Define playbook settings, such as playbook triggers, inputs and outputs, and general settings. | See topic. |
Task 3. Add objects from the Task Library | The Task Library contains AI prompts, scripts, sub-playbooks, and tasks that enable you to communicate with end users, set conditions, and store relevant data. | See topic. |
Task 4. Add custom playbook features | Customize your playbook, including adding scripts and sub-playbook loops, filtering and transforming data, extracting indicators, extending context, creating issue fields, and polling. | See topic. |
Task 5. Test and debug the playbook | Set breakpoints, conditional breakpoints, skip tasks, and input and output overrides in the playbook debugger. | See topic. |
Task 6. Manage playbook content | Save versions of your playbook in Cortex XSIAM, or manage your playbook content development and testing using a remote repository. | See topic. |