Develop your playbook - Administrator Guide - Cortex XSIAM - Cortex - Security Operations

Cortex XSIAM Documentation

Product
Cortex XSIAM
Creation date
2024-03-06
Last date published
2024-10-13
Category
Administrator Guide
Abstract

Create a new playbook or customize an existing one based on your organization's needs.

When developing your playbook, you can either customize an existing out-of-the-box playbook from a content pack or create a new playbook from scratch.

Developing a new playbook from scratch enables a tailored solution for your use case, whereas customizing an out-of-the-box playbook can save time, reduce complexity, and can be a more efficient way to meet your organization's specific security and incident response needs.

Follow these steps to develop a playbook.

You can configure an existing playbook or create a new playbook.

Customize an out-of-the-box playbook

Search for a playbook that is included out-of-the-box with Cortex XSIAM or after downloading from Marketplace.

In the Cortex XSIAM Playbooks page, use free text in the search box to search for playbooks. You can search using part or all of the playbooks' names or description. You can also search for an exact match of the playbook name by putting quotation marks around the search text. For example, searching for "Block Account - Generic" returns the playbook with that name.

You can also search for more than one exact match by including the logical operator "or" in-between your search texts in quotation marks. For example, searching for "Block Account - Generic" or "NGFW Scan" returns the two playbooks with those names. Wildcards are not supported in free text search.

Tip

Browse Marketplace to check for out-of-the-box playbooks that you can customize for your process. For an extensive list of available out-of-the-box playbooks, see Generic Playbooks.

Attach and detach playbooks

When installing a playbook from a content pack, by default, the playbook is attached, which means that it is not editable (apart from some input values).

To edit the playbook, you need to detach or make a duplicate. While it is detached, the playbook is not updated by the content pack. This may be useful when you want to update the playbook without breaking customization. If you want to update the playbook type through content pack updates, you need to reattach the playbook, but any changes are overridden by the content pack on upgrade. If you open an attached playbook in a tab, it can be detached from within the editor page.

If you want to keep the changes, duplicate the playbook before reattaching it.

Create a playbook
  1. Go to Playbooks and click + New Playbook.

  2. Enter a name for the playbook and click Save.

    A blank playbook opens with the Playbook Triggered task that holds the playbook inputs and outputs.

Note

To open multiple playbooks at the same time, edit the first playbook and then click New next to the playbook name to create a new tab. You can either create a new playbook, or add an existing one.

Configure playbook settings as relevant, including:

  • Name and description

  • Tagging

  • Access

  • Whether to run the playbook in Quiet Mode

For more information, see Configure the general playbook settings .

Depending on the task type that you select, and the script that you are running, your playbook task may have inputs and outputs.

Inputs are data pieces that are present in the playbook or task. The inputs are often manipulated or enriched and they produce outputs. Outputs are objects whose entries will serve the tasks throughout the playbook, and they can be derived from the result of a task or command.

At the beginning of any playbook, click the Playbook Triggered task and enter the playbook inputs and outputs, grouping them as relevant.

For more information, see Playbook inputs and outputs.

Playbook tasks are the building blocks of playbooks. Tasks enable you to run scripts and sub-playbooks, communicate with end users, set conditions, and store relevant data.

Note

To open multiple playbooks at the same time, edit the first playbook and then click the New icon next to the playbook name to create a new tab. You can either create a new playbook, or add an existing one.

Once you add tasks to your playbook, connect the tasks in their logical order by dragging and dropping a wire from one task to another.

Task type

Description

Section

Use a section header task to group related tasks to organize and manage the flow of your playbook.

Section headers can also be used for time tracking between phases in a playbook. This data can be used to display in dashboards and report time trends.

For example, in a phishing playbook you would have a section for the investigative phase of the playbook such as indicator enrichment, and a section for communication tasks with the user who reported the phishing.

For more information, Create a section header.

Standard

Standard tasks can be manual tasks such as manual verification to prompt an analyst to verify the severity or classification of an alert before proceeding with automated actions. They can also be automated tasks such as parsing a file or enriching indicators.

Automated tasks are based on scripts that exist in the system. These scripts can be created by you or come out-of-the-box as part of a content pack. For example, the !ad-get-user command retrieves detailed information about a user account using the Active Directory Query V2 integration.

You can also automatically remediate an incident by interacting with a third-party integration, open tickets in a ticketing system such as Jira, or detonate a file using a sandbox.

For more information, see Create a standard task.

Conditional

Use conditional tasks to validate conditions based on values or parameters and take appropriate direction in the playbook workflow, like a decision tree in a flow chart.

For example, a conditional task may ask whether indicators are found. If yes, you can have a task to enrich them, and if not you can proceed to determine that the incident is not malicious. Alternatively, you can use conditional tasks to check if a certain integration is available and enabled in your system. If yes, you can use that integration to perform an action, and if not, you can continue on a different branch in the decision tree.

Conditional tasks can also be used to communicate with users through a single question survey, the answer to which determines how a playbook will proceed.

For more information, see Create a conditional task.

Communication

Use a communication task to interact with users through a survey, for example to collect responses or escalate an alert.

All responses are collected and recorded in the alert context data, from a single user or multiple users. You can use the survey questions and answers as input for subsequent playbook tasks.

You can collect responses in custom fields, for example, a grid field.

For more information, see Create a communication task.

You can customize your playbook to do the following.

Custom action

Description

Add a sub-playbook

Sub-playbooks are playbooks that are nested under other playbooks.

Filter and transform data

Filters extract relevant data to help focus on relevant information and discard irrelevant or unnecessary data.

Transformers take one value and transform or render it to another value or format.

Use scripts

Perform specific automated actions using commands which are also used in playbook tasks and in the War Room.

Configure script error handling.

Extract indicators

Extract indicators from alert fields and enrich them using commands and scripts defined for the indicator type.

Extended context

Save additional data from the raw response of commands that return data.

Create alert fields

Use the setAlert script to set and update all system alert fields.

Perform triggered actions

Create conditions so if an alert with specific characteristics is created, a suitable response is issued via a playbook.

Use playbook polling

Configure a playbook to stop and wait for a process to complete on a third-party product, and continue when it is done.

The debugger provides a test environment where you can make changes to data and playbook logic and view the results in real-time to test and troubleshoot playbooks. You can see exactly what is written to the context at each step and which indicators are extracted.

For more information, see Debug your playbook.

Manage playbook content by saving versions of your playbook in Cortex XSIAM to maintain version history. For more details, see Manage playbook content.