Use an out-of-the-box playbook, create a new playbook, or customize an existing one based on your organization's needs.
When developing your playbook, you can either customize an existing out-of-the-box playbook from a content pack or create a new playbook from scratch.
Developing a new playbook from scratch enables a tailored solution for your use case, whereas customizing an out-of-the-box playbook can save time, reduce complexity, and can be a more efficient way to meet your organization's specific security and alert response needs.
Follow these steps to develop a playbook.
Task | Description | See More |
|---|---|---|
Task 1. Choose from out-of-the-box playbooks or customize your own | Search for an out-of-the-box playbook to use, customize it, or create one based on your needs. | See topic. |
Task 2. Configure playbook settings | Define playbook metadata, such as the name of the playbook, who can edit and run the playbook, and whether Quiet Mode is turned on. | See topic. |
Task 3. Add tasks | Build your playbook by adding tasks that enable you to run scripts and sub-playbooks, communicate with end users, set conditions, and store relevant data. Define inputs and outputs for your tasks. | See topic. |
Task 4. Add custom playbook features | Customize your playbook, including adding scripts, sub-playbooks, filtering and transforming data, extracting indicators, extending context, setting and updating alert fields, and polling. | see topic. |
Task 5. Test and debug the playbook | Set breakpoints, conditional breakpoints, skip tasks, and input and output overrides in the playbook debugger. | See topic. |
Task 6. Manage playbook content | Save versions of your playbook in Cortex XSIAM, or manage your playbook content development and testing using a remote repository. | See topic. |