Create a Playbook Trigger - Administrator Guide - Cortex XSIAM - Cortex - Security Operations

Cortex XSIAM Administrator Guide

Product
Cortex XSIAM
Creation date
2024-02-26
Last date published
2024-04-16
Category
Administrator Guide
Abstract

Create a playbook trigger, so when an alert with specific characteristics is created, a suitable response is issued.

In the Playbook Triggers page, you can create a playbook trigger, add a recommended playbook trigger, view all playbook triggers, and change the order of priority.

  1. Select Incident ResponseIncident ConfigurationPlaybook TriggersNew Triggers.

  2. Add the following information:

    • Trigger name

    • Select a playbook to run

    • Add a meaningful description

  3. In the Alerts field, select the criteria you want to add.

In this example, there are a number of alerts that are being ingested called McAfee + Zscaler - Malware Downloaded And Dropped To Disk. These alerts are as a result of malware which was detected by the Agent. We created a custom playbook to run these alerts, so that if action is detected by the ePO, to either quarantine the machine, where the malware is detected, or if no action to close the investigation. We want to create a playbook trigger, so the next time an alert is ingested, the playbook runs automatically.

  1. Created a trigger called McAfee + Zscaler - Malware Downloaded And Dropped To Disk.

  2. Add the custom playbook.

  3. In the Alerts section, select the name McAfee + Zscaler - Malware Downloaded And Dropped To Disk alerts.

    alert-trigger.png

    The alert is added to the playbook trigger table. The next time an alert is ingested with the criteria, the playbook runs according to the playbook trigger.

    In this incident, you can see that there were 18 alerts that automatically ran 16 playbooks.

    incident-trigger.png
  4. Select one of the alerts to see that the playbook ran (Work Plan or Alert War Room).