Define a standard playbook task in Cortex XSIAM.
Standard tasks can be manual tasks such as manual verification to prompt an analyst to verify the severity or classification of an alert before proceeding with automated actions. They can also be automated tasks such as parsing a file or enriching indicators.
In a playbook, click + to create a task.
Select the Standard option.
Enter a meaningful name in the Task Name field for the task that corresponds to the data you are collecting.
Select the options you want to configure for the Standard task.
Standard tasks include the following field and tabs.
Field / tab
Settings
Choose script field
From a drop down list, select a script for the playbook to run. In the following tabs you can set:
Inputs: Each script has its own set of input arguments (or none). You can set each argument to a specific value (by typing directly on the line under the argument name) or you can click the curly brackets to define a source field to populate the argument.
Outputs: Each script has its own set of output arguments (or none).
Mapping:
Map the output from a playbook task directly to an alert field.
The value for an output key populates the specified field per alert. This is a good alternative to using a task with the
setAlert
command.Note
The output value is dynamic and is derived from the context at the time that the task is processed. As a result, parallel tasks that are based on the same output may return inconsistent results.
In the Mapping tab, click Add custom output mapping.
Under Outputs, select the output parameter whose output you want to map. Click the curly brackets to see a list of the output parameters available from the script.
Under Field to fill, select the field that you want to populate with the output.
Click Save.
Advanced: Includes the following fields.
Using: Choose which integration instance will execute the command, or leave empty to use all integration instances.
Extend context: Append the extracted results of the action to the context. For example, "newContextKey1=path1::newContextKey2=path2" returns "\[path1:'aaa',path2: 'bbb', newContexKey1: 'aaa',newContextKey2:'bbb'\]"
Ignore outputs: If set to true, will not store outputs into the context (besides the extended outputs).
Execution timeout (seconds): Sets the command execution timeout in seconds.
Indicator Extraction mode: Choose when to extract indicators:
None: Do not perform indicator extraction
Inline: Before other playbook tasks
Out of band: While other tasks are running
Mark results as note
Mark results as evidence
Run without a worker
Skip this branch if this script/playbook is unavailable
Quiet Mode: When in quiet mode, tasks do not display inputs and outputs or extract indicators. Errors and warnings are still documented. You can turn quiet mode on or off at the task or playbook level.
Details: Includes the following fields.
Tag the result with: Add a tag to the task result. You can use the tag to filter entries in the War Room.
Task description (Markdown supported): Provide a description of what this task does. You can enter objects from the context data in the description. For example, in a communication task, you can use the recipient’s email address. The value for the object is based on what appears in the context every time the task runs.
Timers: Includes the following fields.
Timer.start: The trigger for starting to send a message or survey to recipients. You can change this trigger or add a trigger for Timer.stop or Timer.pause. Select the trigger timer field from the drop down.
Add Trigger: You can add other trigger timer fields from the drop down.
On Error: Includes the following fields.
Number of retries: How many times the task should retry running if there is an error. Default is 0.
Retry interval (seconds): How long to wait between retries. Default is 30 seconds.
Error handling: How the task should behave if there is an error. Options are:
Stop
Continue
Continue on error path(s)
This option configures the task to handle potential errors that may occur when executing the current task's script.
Manual task settings tab
Default assignee: Assign an owner to this task.
Only the assignee can complete the task: Stop the playbook from proceeding until the task assignee completes the task. By default, in addition to the task assignee, the default administrator can also complete the blocked task. You can also block tasks until a user with an external email address completes the task.
Task SLA: Set the SLA in granularity of weeks, days, hours, and minutes.
Set task Reminder at: Set a reminder for the task in granularity of weeks, days, hours, and minutes.
Advanced tab
Quiet Mode: Determines whether this task uses the playbook default setting for quiet mode. When in quiet mode, tasks do not display inputs and outputs or extract indicators. Errors and warnings are still documented. You can turn quiet mode on or off at the task or playbook level.
Details tab
Tag the result with: Add a tag to the task result. You can use the tag to filter entries in the War Room.
Task description (Markdown supported): Provide a description of what this task does. You can enter objects from the context data in the description. For example, in a communication task, you can use the recipient’s email address. The value for the object is based on what appears in the context every time the task runs.
Timers tab
Timer.start: The trigger for starting to send a message or survey to recipients. You can change this trigger or add a trigger for Timer.stop or Timer.pause. Select the trigger timer field from the drop down.
Add Trigger: You can add other trigger timer fields from the drop down.