Best practices - Administrator Guide - Cortex XSIAM - Cortex - Security Operations

Cortex XSIAM Administrator Guide

Cortex XSIAM
Creation date
Last date published
Administrator Guide

Best practices for working with playbooks.

We recommend the following practices to ensure your playbooks run optimally.

Use quiet mode

Run playbooks in quiet mode to reduce the incident size and execute playbooks faster. For playbooks running in jobs, indicator enrichment should be done in quiet mode.

Limit indicator extraction

When configuring your integration, set indicator extraction to none and extract indicators only in specific tasks where required.

Break up large playbooks into sub-playbooks

If playbooks have more than thirty tasks, break the tasks into multiple sub playbooks. Sub playbooks can be reused, can be managed easily when upgrading, and make it easier to follow the main playbook.

Update scripts

Update scripts and integration commands in playbook tasks to their most current version. Scripts that have updates are designated by a yellow triangle.



When a script is deprecated, it is not removed from Cortex XSIAM or stop playbooks running with an error.

Remove unused playbook tasks

For production playbooks, remove playbook tasks that are not connected to the playbook workflow.