Configure a sub-playbook loop - Administrator Guide - Cortex XSIAM - Cortex - Security Operations

Cortex XSIAM Administrator Guide

Product
Cortex XSIAM
Creation date
2024-02-26
Last date published
2024-04-18
Category
Administrator Guide
Abstract

Configure a sub-playbook to run in a loop. Cortex XSIAM sub-playbook looping

Looping uses sub-playbooks to create loops within a parent playbook. When running the loop, the values are calculated based on the context data for the sub-playbook and not the parent playbook. Loops are like conditions. If the condition is met, the playbook quits the loop and exits.

In the parent playbook (the task that contains the sub-playbook), configure when to exit the loop by selecting one of the following options:

  • For Each Input: The loop exits automatically when the last item in the input is executed.

    • If the input is a single item, the sub-playbook runs once, but if the input is a list of items (such as a list of alert IDs), the sub-playbook runs as many times as there are items in the list. Each iteration of the sub-playbook uses the next item in the list as the input.

    • If there are multiple input lists with the same amount of items, the sub-playbook runs once for each set of inputs.

    • If there are multiple input lists with different amounts of items, the sub-playbook runs the first set of inputs, followed by the second, third, etc until the end. For example:

      Input

      Value

      Input x

      1,2,3,4

      Input y

      a,b,c,d

      Input z

      9

      The first loop: 1, a, 9

      The second loop: 2, b

      The third loop: 3, c

      The fourth loop: 4, d

  • Built-in or Choose Loop Automation: The loop exits based on a condition. The playbook does not loop through the inputs but takes the inputs as a whole.

Note

Consider the following when adding a loop:

  • The maximum number of loops (default is 100). A high amount or a high wait time combined with a large number of incidents may affect performance.

  • Periodically check looping conditions to ensure they are still valid for the data set.

  • When the task input is an array, it is iterated automatically (no need to define a loop).

  1. In the Playbooks page, select the parent playbook that contains the sub-playbook task you want to run the loop.

  2. Click Edit.

    If the Playbook is installed from a content pack, you need to either detach or duplicate the playbook, before editing.

  3. Select the task that contains the sub-playbook for which you want to create the loop.

  4. Click the Loop tab.

  5. Click one of the following options to define when to exit the loop:

    • None: The sub-playbook does not run multiple times.

    • Built-in: Define the following options for the built-in functions:

      Option

      Description

      Exit when

      Enables you to define when to exit the loop. Click {} and expand the source category. Hover over the required source and click Filter & Transform to the left of the source to manipulate the data.

      Equals (String)

      Select the operator to define how the values should be evaluated.

      Max iterations

      The number of times the loop should run.

      Sleep

      The number of seconds to wait between iterations.

      recommends that you balance between the number of iterations and the number of seconds to wait between iterations so you don't overload the server.

    • For each input: Runs the sub-playbook based on defined inputs. Enter the number of seconds to wait between iterations.

    • Choose Loop automation: Select the automation from the drop-down list to define when to exit the loop. The parameters that appear are applicable to the selected automation.

  6. To save the changes, click OK.