Playbook triggers - Administrator Guide - Cortex XSIAM - Cortex - Security Operations

Cortex XSIAM Administrator Guide

Cortex XSIAM
Creation date
Last date published
Administrator Guide

Learn how to create and add a playbook trigger to an alert.

A playbook trigger is a filter on an alert that creates conditions, so if an alert with specific characteristics is created (for example by source, severity, or MITRE TTP), a suitable response is issued (via a playbook). This saves the analyst time and expense when investigating an alert.

You can create playbook triggers by doing the following:

  • Create a playbook trigger

    In the Playbook Triggers page (Incident ResponseIncident ConfigurationPlaybook Triggers), create your playbook trigger from a playbook. After you create a trigger, the next time an alert is triggered, the playbook runs automatically.


    When ingesting alerts from a third party integration such as EWS, the playbook does not run automatically. You need to create a playbook trigger to run the playbook including running any out-of-the-box playbooks.

  • Add a Recommended Playbook Trigger

    In the Playbook Triggers page, add a playbook trigger from the Playbook Trigger Recommendations table. These playbooks are recommended to run whenever the alert is triggered. These recommendations are part of the Core - Investigation and Response content pack and are designed for Ransomware, WildFire, IOC Alerts, etc. Before adding them to the Playbook Triggers table you can view the playbooks in more detail. If you want to add these triggers you need to add them to the Playbook Triggers table and then save your changes. The next time an alert is triggered, the playbook trigger filter is created.

  • Add the Playbook Trigger after resolving an incident.

    In some cases, Cortex XSIAM recommends a playbook to run in the alert. An analyst may want to investigate an alert that has an out-of-the-box playbook available, but since this playbook is not connected to the incident or alert, Cortex XSIAM recommends the relevant playbook. If you have not added the recommended trigger to the Playbook Trigger table, you have the option of adding a playbook trigger after resolving the incident, so the next time an alert is ingested with similar criteria, the playbook trigger filter is created.

    For example, the Core - Investigation and Response content pack includes several playbooks, such as Impossible Traveler, Ransomware, Wildfire Malware, T1036 - Masquerading, etc. Once the content pack is installed, if any alerts are relevant for these playbooks, Cortex XSIAM recommends a playbook to run in this alert.

    In the following example, we have set up a BIOC rule based on the MITRE technique T1036 Masquerading.


    Cortex XSIAM ingests an alert from the Agent and detects the BIOC Rule.  In the Alert Work Plan tab, Cortex XSIAMrecommends using the Masquerading playbook, which is based on the MITRE 1036 technique. If you want more information about the playbook or want to run the playbook, select Preview Playbook. If you do not want to run the recommended playbook, select a different one.

    When you mark the incident as resolved, you are prompted to create a playbook trigger.


    After clicking Playbook Triggers, you can review which playbook Triggers to add in the Recommended Triggers for Alerts in this Incident table, so the next time a similar alert is ingested, the playbook filter is created.

    You do not need to run the recommended playbook in the Alert for the trigger to appear in the Recommended Triggers for Alerts in this Incident table. If you use a playbook that is not recommended, it does not appear in the table.


Playbook triggers only apply to alerts that are grouped into incidents by the system. Most alerts with low and informational security do not allow a playbook to be automatically executed on them. However, you can run a playbook on low severity alerts manually.

After you create a playbook trigger, the trigger is added to the Playbook Triggers table. In the Playbook Triggers table, you can do the following:

  • Set the priority of the playbook triggers, so when an alert is ingested, the first trigger takes priority, then the second, third, etc.

    All recommended playbook triggers that are added (from the incident or the trigger table) are added to the top of the Playbook Triggers table. New triggers created manually are added to the bottom of the table.

  • View details of the triggers that have been created.

    By default, you can see the playbook name and trigger criteria, the playbook, and the creation dates and source. You can add columns and filters as required. When right-clicking a playbook trigger, you can edit the trigger, and the playbook, delete, copy, or copy text.

Scope-based access control for playbook triggers

Playbook Triggers support SBAC (scoped based access control). The following parameters are considered when editing a trigger:

  • If Scoped Server Access is enabled and set to restrictive mode, you can edit a playbook trigger if you are scoped to all tags in the trigger.

  • If Scoped Server Access is enabled and set to permissive mode, you can edit a playbook trigger if you are scoped to at least one tag listed in the trigger.

  • As a scoped user that has editing permissions to a trigger, you can change the order among other triggers that are locked.

  • If a rule was added when set to restrictive mode, and then changed to permissive (or vice versa), you will only have view permissions.