Add a playbook trigger to an alert - Administrator Guide - Cortex XSIAM - Cortex - Security Operations

Cortex XSIAM Documentation

Product
Cortex XSIAM
Creation date
2024-03-06
Last date published
2024-11-07
Category
Administrator Guide
Abstract

Learn how to create and add a playbook trigger to an alert.

A playbook trigger is a filter on an alert that creates conditions, so if an alert with specific characteristics is created (for example by source, severity, or MITRE TTP), a suitable response is issued via a playbook. This saves the analyst time and expense when investigating an alert.

In the Playbook Triggers page, you can create a playbook trigger, add a recommended playbook trigger, view all playbook triggers, and change the order of priority.

Important

Playbook triggers only apply to alerts that are grouped into incidents by the system. Most alerts with low and informational security do not allow a playbook to be automatically executed on them. However, you can manually run a playbook on low severity alerts.

After you create a playbook trigger, the trigger is added to the Playbook Triggers table. In the Playbook Triggers table, you can do the following:

  • Set the priority of the playbook triggers, so when an alert is ingested, the first trigger takes priority, then the second, third, etc.

    All recommended playbook triggers that are added (from the incident or the trigger table) are added to the top of the Playbook Triggers table. New triggers created manually are added to the bottom of the table.

  • View details of the triggers that have been created.

    By default, you can see the playbook name and trigger criteria, the playbook, and the creation dates and source. You can add columns and filters as required. When right-clicking a playbook trigger, you can edit the trigger, and the playbook, delete, copy, or copy text.