Manage playbook settings - Playbook Design Guide - Cortex XSIAM - Cortex - Security Operations

Cortex XSIAM Playbook Design Guide

Product
Cortex XSIAM
Creation date
2023-05-29
Last date published
2024-09-01
Category
Playbook Design Guide
Abstract

Manage Cortex XSIAM playbook settings, including role access, which alerts type triggers it, and options for Quiet Mode.

You can manage general playbook settings such as the name of the playbook, who can edit and run the playbook, and whether Quiet Mode is turned on.

  1. Go to Incident ResponseAutomationPlaybooks and click the playbook that you want to manage.

  2. If it is a content pack playbook, detach or duplicate the playbook by clicking the ellipsis icon.

    If you detach the playbook and want to keep any changes, ensure that you duplicate the playbook before reattaching.

  3. Click Edit.

  4. Click the settings wheel icon.

  5. Edit the following settings as required.

    1. In the BASIC section, change the name and description.

      Note

      You cannot change the name of a detached playbook.

    2. Add any tags as required by either typing a new tag or selecting from the dropdown list.

      Tags help you search for a particular playbook, such as Malware.

    3. If you want to disable a playbook, click the Enabled checkbox.

      If disabled, you cannot associate it with an alert or an alert type.

    4. In the Advanced section, determine whether the playbook runs in quiet mode.

      When Quiet Mode is selected, playbook tasks do not display inputs and outputs and do not extract indicators.

      Playbook tasks are not indexed so you cannot search on the results of specific tasks. All of the information is still available in the context data, and errors and warnings are written to the War Room. Quiet Mode is recommended for scenarios that involve a lot of information that might adversely affect performance, for example, processing indicators from threat intel feeds.

      In the War Room (under the Incident War Room tab for incidents, and under the War Room tab for alerts) you can run the !getInvPlaybookMetadata command to analyze the size of playbook tasks in a specific alert Work Plan to determine whether to implement quiet mode for playbooks or tasks.

  6. Click Save all tabs.