Add ad-hoc tasks to a Work Plan in Cortex XSIAM , for a specific iteration of a playbook.
Within the Work Plan, you can create tasks for a specific iteration of a playbook. The task type can be an automation or another playbook. For example, within a manual task, you might need to enrich some data when running an investigation playbook.
When you create a task, add a name, script, and description. The name and description should be meaningful so that the task corresponds to the data that you are collecting.
In the Incidents page, select the incident to update.
In the Alerts & Insights tab, click the alert to add the task to and then click Show Workplan.
In the playbook, hover over the task where you want to add a new task and click the + sign at the bottom right-hand corner of the task.
The ad-hoc task is added after the task you clicked.
Select the task type.
Standard: Runs a single automation.
Playbook: Runs a playbook to enhance the investigation.
The playbook functions as any playbook would and requires you to define the inputs and outputs, as well as any other details.
Click Save.
To run the Work Plan again click the Work Plan tab.
An example use case could be where you have a phishing investigation and the initial playbook run has parsed the email and extracted several indicators, including some email addresses.
As part of the manual investigation, you could use the Email Address Enrichment playbook as an adhoc playbook task to get more information about these email addresses.