Playbooks - Administrator Guide - Cortex XSIAM - Cortex - Security Operations

Cortex XSIAM Administrator Guide

Cortex XSIAM
Creation date
Last date published
Administrator Guide

Cortex XSIAM playbooks enable you to structure and automate many of your security processes. Parse incident information, interact with users, and remediate.

Playbooks are a series of tasks, conditions, automations, conditions, commands, and loops that run in a predefined flow to save time and improve the efficiency and results of the investigation and response process. They are at the heart of the Cortex XSIAM system, because they enable you to automate many security processes, including handling investigations and managing tickets. You can also structure and automate security responses that were previously handled manually. For example, a playbook task can parse the information in an incident, whether it is an email or a PDF attachment.

Playbooks have different task types for each of the actions you want to take. For example:

  • Use manual tasks when an analyst needs to confirm information or escalate an alert.

  • Use conditional tasks to validate conditions based on values or parameters and take appropriate direction in the playbook workflow.

  • Use communication tasks to interact with users in your organization

  • Use automation tasks to automatically remediate an incident by interacting with a third-party integration, open tickets in a ticketing system such as Jira, or detonate a file using a sandbox.

Playbooks run during the investigation and response stage of the incident lifecycle. But you start defining the logical flow of your playbook during the initial planning stage when designing your use case.


You can create a new playbook or update an existing playbook from a content pack.