Cortex XSIAM playbooks enable you to structure and automate many of your security processes. Parse case information, interact with users, and remediate.
Cortex XSIAM playbooks are visual canvases that allow you to automate your security response workflows. They can orchestrate actions across different products, manage case data, and interact with users to ensure a consistent and rapid response to security events.
One-stop playbook development
Before you start building your playbook, go to the Playbooks page and review the Org playbook list, which are playbooks that are currently used in your organization. On the Playbook Catalog page, you can find available out-of the-box playbooks that are not in use in your organization which you can adopt and use. If an existing playbook does not meet your use case, you can develop a playbook from scratch. Whether editing an existing playbook or creating a new one, you can manage the entire automation development flow in the playbook editor, including creating and editing tasks, configuring automation rules to trigger your playbooks, and setting up all relevant integrations.
Task Library
The Task Library in the playbook editor contains the following objects you can add to your playbook. For example, you can create new tasks from scripts, repurpose existing tasks, and use existing playbooks as sub-playbooks.
Playbook tasks display unique logos to more easily identify task type and origin, for example third-party integration commands, built-in scripts and tasks, and tasks requiring manual inputs.
Task Library Object | Action | See More |
|---|---|---|
AI Prompts | Add AI prompts with inputs and outputs that run automatically. | See topic. |
Commands & Scripts | Add commands and scripts from integrations that you install and configure instances for as needed. | See topic. |
Playbooks | Add sub-playbooks to your playbook from your Org repository or from the Playbooks Catalog. | See topic. |
Manual Tasks | Add tasks from playbooks in your Org repository. | See topic. |
Header | Add section headers to organize your playbook. | See topic. |
Blank Task | Create a new task from scratch. | See topic. |
Post-development playbook testing
After developing the playbook (including setting automation rules to trigger the playbook), run the debugger to initially test the playbook.
Once you confirm the playbook runs without errors, start ingesting issues to check that the playbook runs properly with data. The automation rule you defined for the playbook will trigger it to run when a relevant issue is ingested into Cortex XSIAM.
After verifying the playbook is triggered and runs properly with issues, it is ready to use in production.
You can see which playbook ran for an issue by going to Cases & Issues, selecting Issues and scrolling to the Playbook column. You can view or update the playbook by selecting an issue and clicking the Work Plan tab. Select another playbook to run from the dropdown list.
You can see which playbook ran in a case, if any, by going to Cases & Issues, selecting Cases and looking at the Automation section in the Overview tab for the case. You can view or update the playbook by going to the Issues & Insights tab, selecting an issue, and then clicking the Work Plan tab. In the Work Plan, you can select another playbook to run from the dropdown list.
For more information, see Investigate cases.