Create a data collection task - Administrator Guide - Cortex XSIAM - Cortex - Security Operations

Cortex XSIAM Administrator Guide

Product
Cortex XSIAM
Creation date
2024-07-16
Last date published
2024-11-12
Category
Administrator Guide
Abstract

Create a data collection task in a Cortex XSIAM playbook. Multi-question survey (form), responses are recorded in the incident’s context data.

The Data Collection task is a multi-question survey (form), which recipients access from a link in the message.

You can include the following types of questions in the survey.

  • Stand alone questions. These are presented to users directly in the message, and from which users answer directly in the message (not an external survey).

  • Field-based questions. These are based on a specific alert field (either system or custom), for example, an Asset ID field. The response (data) received for these fields automatically populates the field for this alert. For single select field based questions, the default option is taken from the field’s defined default.

You can collect responses in custom fields.

Note

If responses are received from multiple users, data for multi-select fields and grid fields are aggregated. For all other field types, the response received most recently will override previous responses as it displays in the field. All responses are always available in the context data.

If the playbook was installed from a content pack, duplicate or detach the playbook, before creating a data collection task.

  1. In a playbook, click +.

  2. Select the Data Collection option.

  3. Enter a meaningful name in the Task Name field for the task that corresponds to the data you are collecting.

  4. Select the communication options you want to use to collect the data.

    • The Task option is selected by default. The data collection survey can be completed directly in the workplan.

    • If you select Generated link, a link to the data collection survey is available in the context data of the task.

    • If you select Email, enter the subject and message of the email and the email addresses of the users who should receive this message or survey.

      data-collection-task-1-4.png
    • Some integrations can be used to collect data for Data Collection tasks, such sa Microsoft Teams and Slack. If any of these integrations are installed, it will appear as an option.

  5. In the Questions tab, type the questions and answer types that the survey will contain.

    You can drag and drop questions to rearrange the order in which they display in the survey.

  6. (Optional) To customize the look and feel of your email message, click Preview.

    You can determine the color scheme and how the text in the message header and body appear, as well as the appearance and text of the button the user clicks to submit the survey.

  7. In the remaining fields, add any timing, details about the task and whether to extract indicators, etc., as required.