Alert automation - Administrator Guide - Cortex XSIAM - Cortex - Security Operations

Cortex XSIAM Documentation

Product
Cortex XSIAM
Creation date
2024-03-06
Last date published
2024-10-10
Category
Administrator Guide
Abstract

Save time and expense by automatically investigating and taking remedial action using a playbook.

You can automate relevant alerts by running a playbook, which can save time and expense by automatically investigating and taking remedial action. Playbooks run on alerts to enrich information and combine with other products in your security set up, to assist with the investigation. You can view the playbook that is running or has run in the alert Work Plan.

You have the ability to resolve incidents or to automate parts of the incident investigation and resolution workflow. Some content packs include out-of-the-box playbooks that run when a new alert is created. After configuring the playbook, when a playbook runs in an alert, the playbook can prompt the analyst for input (in a task) to keep the remediation moving forward and to enable them to make remediation decisions while still getting the benefits of automation.

You can run playbooks in the following ways:

  • Run a playbook automatically

    You can run a playbook in an alert automatically, as soon as the alert is created, by creating playbook triggers. Once the criteria is met, the playbook is triggered. You can create your own playbook trigger, add a recommended playbook trigger (from a content pack in the Marketplace), or after resolving an incident, accept the recommended playbook trigger. For more information about triggers, see Add a playbook trigger to an alert.

  • Select a playbook to run (the alert did not trigger a playbook)

    If no playbook runs automatically, you can select a recommended playbook, or if there is no recommendation, select a different playbook to run. For example, playbooks can take IP address information from one integration and enrich that IP address with information from additional integrations or sources.

    Before running a recommended playbook, you can preview the playbook to decide whether to accept the recommendation.

    Note

    If you do not see a relevant playbook, ensure that you have installed the relevant content pack from Marketplace.