Create a conditional task - Administrator Guide - Cortex XSIAM - Cortex - Security Operations

Cortex XSIAM Documentation

Product
Cortex XSIAM
Creation date
2024-03-06
Last date published
2024-10-10
Category
Administrator Guide
Abstract

Create a conditional task in a playbook.

Conditional tasks are used for determining different paths for your playbook. For example, in a playbook for handling phishing emails, a conditional task can be used to check if an email contains suspicious attachments. If the attachment is identified as malicious, the playbook can automatically quarantine the email; otherwise, it can proceed to manual review by a security analyst.

Conditional task types

You can create different types of conditional tasks.

  • Built-in: Creates a logical statement using an entity from within the playbook. For example, in an access investigation playbook, you can determine that if the Asset ID of the person whose account was being accessed exists in a VIP list, set the incident severity to High. Otherwise, proceed as normal.

  • Manual: Creates a conditional task that must be manually resolved. For example, a security analyst is prompted to review and validate a suspicious file. The playbook task might involve instructions for the analyst to analyze the file, determine if it is malicious, and provide feedback or take specific actions based on their assessment.

  • Ask: Creates a single-question survey communication task, the answer to which determines how a playbook proceeds. For more details about ask tasks, see Create a communication task.

  • Choose script: Creates a conditional task based on the result of a script. For example, check if an IP address is internal or external using the IsIPInRanges script. When using a script, the inputs and outputs are generated by the automation script.

How to create a conditional task
  1. In a playbook, click + Create Task.

  2. Select the Conditional option.

  3. In the Task Name field, type a meaningful name for the task that corresponds to the data you are collecting.

  4. Select the relevant conditional task option. Some field configurations are required, and some are optional.

  5. Click Save.