Create a time triggered job - Administrator Guide - Cortex XSIAM - Cortex - Security Operations

Cortex XSIAM Documentation

Product
Cortex XSIAM
Creation date
2024-03-06
Last date published
2024-10-13
Category
Administrator Guide
Abstract

Create a time triggered or feed triggered job in Cortex XSIAM to run a playbook.

Time triggered jobs run at predetermined times. You can schedule the job to run at a recurring time or one time at a specific date and time. For an example, see the Create jobs to process indicators example.

  1. Select JobsNew Job.

  2. Select Time triggered.

  3. If you want the job to repeat at regular intervals, select Recurring and select the desired interval.

    You can choose to run the job every X number of days, on specific days of the week, at a specific time and also choose a start date and an expiration date.

    You can configure the recurring job using a cron expression. To do so, after selecting the Recurring checkbox, click Switch to Cron view and enter the expression. For help defining the cron expression, click Show cron examples after switching to cron view.

    Note

    To view a human readable description of a cron schedule for an existing job, click settings-wheel.png and select Job Schedule from the available columns.

  4. If you do not want to the job to repeat, Select date and time for the job to run.

  5. Add or create any relevant tags to use as a search parameter in the system.

  6. In the BASIC INFORMATION, section, add relevant time triggered job parameters from the following:

    Name

    Description

    Name

    Enter a meaningful name for the job.

    Owner

    Assign an owner to the incident.

    Role

    Select the role who can access the incident.

    Type

    Determine the incident type created by this job.

    Severity

    Determine the severity of the incident that is created.

    Playbook

    Determine which playbook to run when this job is triggered.

    Labels

    Select the labels that are available in the incident type.

    Phase

    Select the phase of the investigation in which this incident is opened.

    Details

    Add details that should appear within the incident.

    Attachments

    Add attachments to the job.

  7. Enter any relevant custom field parameters.

    All fields that have the Add to all incident types checkbox selected appear in incident and indicator fields.

  8. In the QUEUE HANDLING section, select one of the following response options to use if the job is triggered while a previous run of the job is active:

    • Notify the owner

    • Don’t trigger a new job run

    • Cancel the previous job run and trigger a new job run

    • Trigger a new job run and execute concurrently with the previous run

    Important

    We recommend to avoid triggering a job while a previous run of the job is active by configuring the playbook a job triggers to close the investigation before running a new job.

  9. Select Create new job.