Playbook tasks - Administrator Guide - Cortex XSIAM - Cortex - Security Operations

Cortex XSIAM Administrator Guide
Product
Cortex XSIAM
Creation date
2024-02-26
Last date published
2024-04-25
Category
Administrator Guide
Abstract

Cortex XSIAM playbook tasks, including conditional tasks and communication tasks.

Tasks are the building blocks of playbooks. Cortex XSIAM supports different task types for the different aspects of the playbook. Each task type requires different information and provides different capabilities. You should choose your task type based on what you want to accomplish in the task. For example, for enrichment, you might want to run an enrichment sub-playbook or a command that returns additional information for an indicator.

Task Types

Playbooks support the following task types:

  • Standard tasks

    Standard tasks range from manual tasks like creating an alert or escalating an existing alert, to automated tasks such as parsing a file, or enriching indicators. Automated tasks are based on scripts that exist in the system. These scripts can be something that was created by you or come pre-packaged as part of an integration. For example, the !ad-get-user command retrieves detailed information about a user account using the Active Directory Query V2 integration.

  • Conditional tasks

    are used like a decision tree in your flow chart. For example, a conditional task may ask whether indicators are found. If yes, you can have a task to enrich them, but if not you can proceed to determine that the incident is not malicious. Alternatively, you can use conditional tasks to check if a certain integration is available and enabled in your system. If so, you can use that integration to perform an action, but if not, you can continue on a different branch in the decision tree.

    Conditional tasks can also be used to communicate with users through a single question survey, the answer to which determines how a playbook will proceed.

  • Data collection

    Data collection tasks are used to interact with users through a survey. The survey resides on an external site that does not require authentication, thereby allowing survey recipients to respond without restriction.

    All responses are collected and recorded in the alerts context data, whether you receive responses from a single user or multiple users. This enables you to use the survey questions and answers as input for subsequent playbook tasks.

    Note

    You can collect responses in custom fields, for example, a Grid field.

  • Section headers

    Section Headers are used to manage the flow of your playbook and help you organize your tasks efficiently. You create a Section Header task to group a number of related tasks under the Section Header, as you would items in a warehouse or topics in a book.

    For example, in a phishing playbook, you would have different sections for the investigative aspect of the playbook, such as indicator enrichment, and the tasks for communication with the user who reported the phishing.