Best practices - Administrator Guide - Cortex XSIAM - Cortex - Security Operations

Cortex XSIAM Administrator Guide

Product
Cortex XSIAM
Creation date
2024-02-26
Last date published
2024-04-18
Category
Administrator Guide
Abstract

Best practices for working with playbooks.

We recommend the following practices to ensure your playbooks run optimally.

Use quiet mode

Run playbooks in quiet mode to reduce the incident size and execute playbooks faster. For playbooks running in jobs, indicator enrichment should be done in quiet mode.

Limit indicator extraction

When configuring your integration, set indicator extraction to none and extract indicators only in specific tasks where required.

Break up large playbooks into sub-playbooks

If playbooks have more than thirty tasks, break the tasks into multiple sub playbooks. Sub playbooks can be reused, can be managed easily when upgrading, and make it easier to follow the main playbook.

Update scripts

Update scripts and integration commands in playbook tasks to their most current version. Scripts that have updates are designated by a yellow triangle.

xsoar8-update-automation.png

Note

When a script is deprecated, it is not removed from Cortex XSIAM or stop playbooks running with an error.

Remove unused playbook tasks

For production playbooks, remove playbook tasks that are not connected to the playbook workflow.