Communication tasks - Playbook Design Guide - Cortex XSIAM - Cortex - Security Operations

Cortex XSIAM Playbook Design Guide

Product
Cortex XSIAM
Creation date
2023-05-29
Last date published
2024-09-01
Category
Playbook Design Guide
Abstract

Communication tasks in playbooks enable you to send surveys and collect data. Ask task, data collection task.

Communication tasks enable you to send surveys to users, both internal and external, to collect data for an alert. The collected data can be used for alert analysis, and also as input for subsequent playbook tasks. For example, you might want to send a scheduled survey requesting analysts to send specific incident updates or send a single (stand-alone) question survey to determine how an issue was handled.

Ask tasks

The Ask conditional task is a single-question survey, the answer to which determines how a playbook will proceed. If you send the survey to multiple users, the first answer received is used, and subsequent responses are disregarded.

Users interact with the survey directly from the message, meaning the question appears in the message and they click an answer from the message.

The survey question and the first response is recorded in the alerts context data. This enables you to use this response as the input for subsequent playbook tasks.

Since this is a conditional task, you need to create a condition for each of the answers. For example, if the survey answers include, Yes, No, and Maybe, there should be a corresponding condition (path) in the playbook for each of these answers.

For all Ask conditional tasks, a link is generated for each possible answer the recipient can select. If the survey is sent to more than one user, a unique link is created for each possible answer for each individual recipient. These links are visible in the context data of the incident's Work Plan. The links appear under Ask.Links in the context data.

Data collection tasks

The Data Collection task is a multi-question survey (form) that survey recipients access from a link in the message. Users do not need to log in to access the survey, which is located on a separate site.

All responses are collected and recorded in the alerts context data, whether you receive responses from a single user or multiple users. This enables you to use the survey questions and answers as input for subsequent playbook tasks.

The following are examples of integrations that can use Data Collection tasks:

  • Email (EWS, Mail Sender, etc.)

  • Microsoft Teams

  • Slack

Note

You can collect responses in custom fields, for example, a grid field in an alert.

For all Data Collection tasks, a single link is generated for each recipient of the survey. These links are visible in the context data of the incident's Work Plan. The links appear in the context data under the Links section of that survey.