Playbooks - Developer Guide - Cortex XSIAM - Cortex - Security Operations

Cortex XSIAM Developer Guide

Product
Cortex XSIAM
Creation date
2023-05-01
Last date published
2024-06-04
Category
Developer Guide
Abstract

Create playbooks in the UI with the Playbook Editor to automate complex workflows in Cortex XSIAM without requiring complicated coding. Add the playbook to a content pack.

Playbooks are a series of tasks, conditions, scripts, conditions, commands, and loops that run in a predefined flow to save time and improve efficiency and results of the investigation and response process.

Playbooks enable you to automate complex workflows in Cortex XSIAM without requiring complicated coding. Playbooks are created and edited directly in the UI, via the Playbook Editor.

The Cortex XSIAM Playbook Design Guide provides detailed information about how to build a playbook within the Cortex XSIAM UI. After the playbook is complete, it can be downloaded and added to a content pack for submission. See the Cortex XSIAM Playbook Design Guide for more information.Cortex XSIAM Playbook Design Guide

Playbooks can be triggered by:

  • Alerts

    Playbooks can run on incoming alerts automatically per alert type. Consider whether you need to create a new alert type as part of your content pack.

    You can add a playbook trigger to run a specific playbook for an alert with specific characteristics. For example, you can set a condition for a specific playbook to run based on the alert source, severity, or MITRE TTP. For more information, see Playbook triggers.Playbook triggers

  • Indicator queries

    TIM playbooks can run based on indicator queries. Determine what indicator query (for example, all IP indicators retrieved from a particular feed) should be used.

  • Sub-playbooks

    A parent playbook can invoke a sub-playbook. If you use sub-playbooks, consider what inputs and outputs your playbook should support and determine the default values. See the Cortex XSIAMPlaybook Design Guide for more details.

Add a Playbook to a Content Pack

Use the demisto-sdk download --item-type Playbook -i "PLAYBOOK NAME" to add a playbook to a content pack.

Playbook triggers should be added to the content pack Triggers folder.

Note

Currently, Cortex XSIAM does not support exporting playbook triggers into the Content repo unless you turn on a feature flag.