Create a time triggered or feed triggered job in Cortex XSIAM to run a playbook.
Time triggered jobs run at predetermined times. You can schedule the job to run at a recurring time or one time at a specific date and time. For an example, see the Create jobs to process indicators example.
Select
→ .Select Time triggered.
If you want the job to repeat at regular intervals, select Recurring and select the desired interval.
You can choose to run the job every X number of days, on specific days of the week, at a specific time and also choose a start date and an expiration date.
You can configure the recurring job using a cron expression. To do so, after selecting the Recurring checkbox, click Switch to Cron view and enter the expression. For help defining the cron expression, click Show cron examples after switching to cron view.
Note
To view a human readable description of a cron schedule for an existing job, click and select Job Schedule from the available columns.
If you do not want to the job to repeat, Select date and time for the job to run.
Add or create any relevant tags to use as a search parameter in the system.
In the BASIC INFORMATION, section, add relevant time triggered job parameters from the following:
Name
Description
Name
Enter a meaningful name for the job.
Owner
Assign an owner to the incident.
Role
Select the role who can access the incident.
Type
Determine the incident type created by this job.
Severity
Determine the severity of the incident that is created.
Playbook
Determine which playbook to run when this job is triggered.
Labels
Select the labels that are available in the incident type.
Phase
Select the phase of the investigation in which this incident is opened.
Details
Add details that should appear within the incident.
Attachments
Add attachments to the job.
Enter any relevant custom field parameters.
All fields that have the Add to all incident types checkbox selected appear in incident and indicator fields.
In the QUEUE HANDLING section, select one of the following response options to use if the job is triggered while a previous run of the job is active:
Notify the owner
Don’t trigger a new job run
Cancel the previous job run and trigger a new job run
Trigger a new job run and execute concurrently with the previous run
Important
We recommend to avoid triggering a job while a previous run of the job is active by configuring the playbook a job triggers to close the investigation before running a new job.
Select Create new job.