What is a playbook? - Administrator Guide - Cortex XSIAM - Cortex - Security Operations

Cortex XSIAM Documentation

Product
Cortex XSIAM
Creation date
2024-03-06
Last date published
2024-12-12
Category
Administrator Guide
Abstract

Cortex XSIAM playbooks enable you to structure and automate many of your security processes. Parse incident information, interact with users, and remediate.

Playbooks are a series of tasks, scripts, conditions, commands, and loops that run in a predefined flow to save time and improve the efficiency and results of the investigation and response process. They are at the heart of the Cortex XSIAM system, because they enable you to automate many security processes, including handling investigations and managing tickets. For example, a playbook task can parse the information in an incident, whether it is an email or a PDF attachment.

Playbooks have different task types for each action you want to take. For example:

  • Use manual tasks when an analyst needs to confirm information or escalate an incident.

  • Use conditional tasks to validate conditions based on values or parameters and take appropriate direction in the playbook workflow.

  • Use communication tasks to interact with users in your organization.

  • Use automation tasks to automatically remediate an incident by interacting with a third-party integration, open tickets in a ticketing system such as Jira, or detonate a file using a sandbox.

You can also structure and automate security responses that were previously handled manually.

You define the logical flow of your playbook when you design your use case. After developing and testing the playbook, it then runs during investigation and response.

Playbook run during investigation and response

When an alert is ingested into Cortex XSIAM, a playbook is usually attached to the incident and runs automatically. You can see which playbook ran in an incident/alert, if any, by going to Incident ResponseIncidents and selecting the incident. You can view or update the playbook by going to the Alerts & Insights tab, selecting the alert, and then clicking InvestigateWork Plan.

On the left hand side, you can see the name of the playbook. You can select another playbook to run from the dropdown list.