Add ad-hoc tasks to a Work Plan as part of your investigation - Administrator Guide - Cortex XSIAM - Cortex - Security Operations

Cortex XSIAM Documentation

Product
Cortex XSIAM
Creation date
2024-03-06
Last date published
2024-10-10
Category
Administrator Guide
Abstract

Add ad-hoc tasks to a Work Plan in Cortex XSIAM for a specific iteration of a playbook.

As part of your alert investigation, within the Work Plan you can create tasks for a specific iteration of a playbook. The task type can be an automation or another playbook. For example, within a manual task, you might need to enrich some data and run an investigation playbook.

When you create a task, add a name, automation, and description. The name and description should be meaningful so that the task corresponds to the data that you are collecting.

  1. In the Incidents page, select the incident to update.

  2. In the Alerts & Insights tab, click the alert to add the task to and then click Show Workplan.

  3. In the playbook, hover over the task where you want to add a new task and click the + sign at the bottom right-hand corner of the task.

    The ad-hoc task is added after the task you clicked.

  4. Select the task type.

    • Standard: Runs a single automation.

    • Playbook: Runs a playbook to enhance the investigation.

      The playbook functions as any playbook would and requires you to define the inputs and outputs, as well as any other details.

    • Click Save.

  5. To run the Work Plan again click the Work Plan tab.

Example 39. 

For a phishing investigation, after the initial playbook run parses the email and extracts email addresses, as part of the manual investigation, you could use the Email Address Enrichment - Generic v2.1 playbook as an ad-hoc playbook task to get more information about these email addresses.