Customize your playbook - Administrator Guide - Cortex XSIAM - Cortex - Security Operations

Cortex XSIAM Documentation

Product
Cortex XSIAM
Creation date
2024-03-06
Last date published
2024-10-10
Category
Administrator Guide
Abstract

Customize your playbook to extract indicators, extend context, add incident fields, filter and transform data, run scripts, and perform triggered actions, sub-playbook loops, and polling.

You can customize your playbook to do the following.

Custom action

Description

Add a sub-playbook

Sub-playbooks are playbooks that are nested under other playbooks.

Filter and transform data

Filters extract relevant data to help focus on relevant information and discard irrelevant or unnecessary data.

Transformers take one value and transform or render it to another value or format.

Use scripts

Perform specific automated actions using commands which are also used in playbook tasks and in the War Room.

Configure script error handling.

Extract indicators

Extract indicators from alert fields and enrich them using commands and scripts defined for the indicator type.

Extended context

Save additional data from the raw response of commands that return data.

Create alert fields

Use the setAlert script to set and update all system alert fields.

Perform triggered actions

Create conditions so if an alert with specific characteristics is created, a suitable response is issued via a playbook.

Use playbook polling

Configure a playbook to stop and wait for a process to complete on a third-party product, and continue when it is done.