Task 1. Choose from out-of-the-box playbooks or customize your own - Administrator Guide - Cortex XSIAM - Cortex

Task 1. Choose from out-of-the-box playbooks or customize your own - Administrator Guide - Cortex XSIAM - Cortex - Security Operations

Cortex XSIAM Documentation

Product

Cortex XSIAM

Creation date

2024-03-06

Last date published

2025-03-17

Search for an out-of-the-box playbook

Search for a playbook that is included out-of-the-box with Cortex XSIAM or after downloading from Marketplace.

In the Cortex XSIAM Playbooks page, use free text in the search box to search for playbooks. You can search using part or all of the playbooks' names or description. You can also search for an exact match of the playbook name by putting quotation marks around the search text. For example, searching for "Block Account - Generic" returns the playbook with that name.

Search for more than one exact match by including the logical operator "or" in-between your search texts in quotation marks. For example, searching for "Block Account - Generic" or "NGFW Scan" returns the two playbooks with those names. Wildcards are not supported in free text search.

Tip

You can also browse Marketplace to check for out-of-the-box playbooks that you can customize for your process. For an extensive list of available out-of-the-box playbooks, see Generic Playbooks.

Customize an out-of-the-box playbook

When installing a playbook from a content pack, by default, the playbook is attached, which means that it is not editable (apart from some input values).

To edit the playbook, you need to detach or make a duplicate. While it is detached, the playbook is not updated by the content pack. This may be useful when you want to update the playbook without breaking customization. If you want to update the playbook type through content pack updates, you need to reattach the playbook, but any changes are overridden by the content pack on upgrade. If you open an attached playbook in a tab, it can be detached from within the editor page.

If you want to keep the changes, duplicate the playbook before reattaching it.

Go to Playbooks and click + New Playbook.
Enter a name for the playbook and click Save.
A blank playbook opens with the Playbook Triggered task that holds the playbook inputs and outputs.

Note

To open multiple playbooks at the same time, edit the first playbook and then click New next to the playbook name to create a new tab. You can either create a new playbook, or add an existing one.
You can view recently modified or deleted playbooks by clicking version history for all playbooks .

Navigate the playbook

You can easily navigate playbooks and focus on the parts you need to work on by collapsing and expanding playbook sections. Collapsing sections provides a condensed view of the playbook flow, reducing visual clutter and enabling quick access to specific sections. Expanding sections allows you to view or edit specific parts of a playbook while keeping the rest of the playbook compact and maintaining focus on the relevant playbook details. You can also hover over a Section Header to highlight all tasks under the section and easily identify the section scope.

To collapse and expand a section, in the Playbooks page, after selecting a playbook from the library or creating a new playbook and adding tasks, click on a section header.

When you collapse a section, you can see the number of tasks included under the section. For example:

Click to collapse or expand the entire playbook.