Create a communication task - Administrator Guide - Cortex XSIAM - Cortex - Security Operations

Cortex XSIAM Documentation

Product
Cortex XSIAM
Creation date
2024-03-06
Last date published
2024-10-10
Category
Administrator Guide
Abstract

Communication tasks in playbooks enable you to send surveys and collect data. Ask task, data collection task.

Communication tasks enable you to send surveys to users, both internal and external, to collect data for an alert. The collected data can be used for alert analysis, and also as input for subsequent playbook tasks. For example, you can send a scheduled survey requesting analysts to send specific incident updates or send a single (stand-alone) question survey to determine how an issue was handled.

An ask task is a type of conditional task that sends a single question survey, the answer to which determines how a playbook proceeds. If you send the survey to multiple users, the first answer received is used, and subsequent responses are disregarded. For more information about ask task settings, see Create a conditional task.

Because this is a conditional task, you need to create a condition for each of the answers. For example, if the survey answers include, Yes, No, and Maybe, there should be a corresponding condition (path) in the playbook for each of these answers.

Users interact with the survey directly from the message, meaning the question appears in the message and they click an answer from the message.

The survey question and the first response is recorded in the alert context data. This enables you to use this response as the input for subsequent playbook tasks.

For all ask conditional tasks, a link is generated for each possible answer the recipient can select. If the survey is sent to more than one user, a unique link is created for each possible answer for each individual recipient. These links are visible in the context data of the incident's Work Plan. The links appear under Ask.Links in the context data.

Example 32. Send a survey

In this example, the message and survey will be sent to recipients every hour for six hours, until a reply is received (it is repeated every 60 minutes, 6 times). The SLA is six hours. If the SLA is breached, the playbook will proceed according to the Yes condition.

ask-timer.png

Example 33. Send email to users

In this example, a message and survey are sent by email to all users with the Analyst role. We are not including a message body because the message subject is the survey question we want recipients to answer. There are three reply options, Yes, No, and Not sure. In the playbook, we will only add conditions for the Yes and No replies. We require recipient authentication, which first involves setting up authentication.

ask-task-example-email-8-4.png

The data collection task is a multi-question survey (form) that survey recipients access from a link in the message. Users do not need to log in to access the survey, which is located on a separate site.

All responses are collected and recorded in the alert context data, whether you receive responses from a single user or multiple users. This enables you to use the survey questions and answers as input for subsequent playbook tasks. If responses are received from multiple users, data for multi-select fields and grid fields are aggregated. For all other field types, the response received most recently will override previous responses as it displays in the field. All responses are always available in the context data.

For all data collection tasks, a single link is generated for each recipient of the survey. These links are visible in the context data of the incident's Work Plan. The links appear in the context data under the Links section of that survey.

You can include the following types of questions in the survey.

  • Stand alone questions. These are presented to users directly in the message, and from which users answer directly in the message (not an external survey).

  • Field-based questions. These are based on a specific alert field (either system or custom), for example, an Asset ID field. The response (data) received for these fields automatically populates the field for this alert. For single-select field based questions, the default option is taken from the field’s defined default.

How to create a Data Collection task
  1. In a playbook, click + to create a new task.

  2. Select the Data Collection option.

  3. Enter a meaningful name in the Task Name field for the task that corresponds to the data you are collecting.

  4. Select the communication options you want to use to collect the data.

  5. (Optional) To customize the look and feel of your email message, click Preview.

    You can determine the color scheme and how the text in the message header and body appear, as well as the appearance and text of the button the user clicks to submit the survey.

When sending a form in a communication task, you can configure user authentication to ensure only authorized users gain access to the form.

The authorized users are usually external users not in Cortex XSIAM, and they will not be able to access anything else in Cortex XSIAM.

If you are using NGINX as a reverse proxy with SSL termination, configure the NGINX configuration file to enable accessing data collection links in emails.

  1. Navigate to /etc/nginx/sites-available/ and open the NGINX configuration file.

  2. Update the file with the following configurations:

    server {
    	listen 443 ssl;
    	server_name <PROXY DOMAIN>;
    
    
    	ssl_certificate <path to CRT file>;
    	ssl_certificate_key <path to KEY file>;
    	ssl_protocols TLSv1.2 TLSv1.3;
    	ssl_ciphers 'ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384';
    	ssl_prefer_server_ciphers on;
    
    
    	location / {
    		proxy_pass https://<XSOAR DOMAIN>;
    		proxy_cookie_domain <XSOAR DOMAIN> <PROXY DOMAIN>;
    		proxy_pass_header Set-Cookie;
    		proxy_set_header X-Real-IP $remote_addr;
    		proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
    		proxy_set_header X-Forwarded-Proto $scheme;
    		}
    
    	}