Playbook triggers - Administrator Guide - Cortex XSIAM - Cortex - Security Operations

Create a playbook trigger

In the Playbook Triggers page (Incident Response → Incident Configuration → Playbook Triggers), create your playbook trigger from a playbook. After you create a trigger, the next time an alert is triggered, the playbook runs automatically.

Add a Recommended Playbook Trigger

In the Playbook Triggers page, add a playbook trigger from the Playbook Trigger Recommendations table. These playbooks are recommended to run whenever the alert is triggered. These recommendations are part of the Core - Investigation and Response content pack and are designed for Ransomware, WildFire, IOC Alerts, etc. Before adding them to the Playbook Triggers table you can view the playbooks in more detail. If you want to add these triggers you need to add them to the Playbook Triggers table and then save your changes. The next time an alert is triggered, the playbook trigger filter is created.

Add the Playbook Trigger after resolving an incident.

In some cases, Cortex XSIAM recommends a playbook to run in the alert. An analyst may want to investigate an alert that has an out-of-the-box playbook available, but since this playbook is not connected to the incident or alert, Cortex XSIAM recommends the relevant playbook. If you have not added the recommended trigger to the Playbook Trigger table, you have the option of adding a playbook trigger after resolving the incident, so the next time an alert is ingested with similar criteria, the playbook trigger filter is created.

For example, the Core - Investigation and Response content pack includes several playbooks, such as Impossible Traveler, Ransomware, Wildfire Malware, T1036 - Masquerading, etc. Once the content pack is installed, if any alerts are relevant for these playbooks, Cortex XSIAM recommends a playbook to run in this alert.

In the following example, we have set up a BIOC rule based on the MITRE technique T1036 Masquerading.

Cortex XSIAM ingests an alert from the Agent and detects the BIOC Rule.  In the Alert Work Plan tab, Cortex XSIAMrecommends using the Masquerading playbook, which is based on the MITRE 1036 technique. If you want more information about the playbook or want to run the playbook, select Preview Playbook. If you do not want to run the recommended playbook, select a different one.

When you mark the incident as resolved, you are prompted to create a playbook trigger.

After clicking Playbook Triggers, you can review which playbook Triggers to add in the Recommended Triggers for Alerts in this Incident table, so the next time a similar alert is ingested, the playbook filter is created.

You do not need to run the recommended playbook in the Alert for the trigger to appear in the Recommended Triggers for Alerts in this Incident table. If you use a playbook that is not recommended, it does not appear in the table.

Set the priority of the playbook triggers, so when an alert is ingested, the first trigger takes priority, then the second, third, etc.

All recommended playbook triggers that are added (from the incident or the trigger table) are added to the top of the Playbook Triggers table. New triggers created manually are added to the bottom of the table.

View details of the triggers that have been created.

By default, you can see the playbook name and trigger criteria, the playbook, and the creation dates and source. You can add columns and filters as required. When right-clicking a playbook trigger, you can edit the trigger, and the playbook, delete, copy, or copy text.