Manage Playbook Settings - Administrator Guide - 6.9 - Cortex XSOAR - Cortex - Security Operations

Cortex XSOAR Administrator Guide

Product
Cortex XSOAR
Version
6.9
Creation date
2022-09-29
Last date published
2024-03-28
End_of_Life
EoL
Category
Administrator Guide
Abstract

Manage Cortex XSOAR playbook settings, including role access, which incident type triggers it, and options for Quiet Mode.

You can manage general playbook settings such as the name of the playbook, who can edit and run the playbook, and whether Quiet Mode is turned on. To change the settings, click Edit and then click the gear icon.

Note

You can update the roles and enable/disable the playbook in View mode (without clicking Edit).

You can set the playbook to Quiet Mode to improve system performance. In Quiet Mode, playbook tasks are not indexed, so you cannot search on the results of specific tasks. Entries are not written to the War Room, and inputs and outputs are not presented for Work Plan tasks. All of the information is still available in the context data, and errors and warnings are written to the War Room.

Quiet Mode is recommended for scenarios that involve a lot of information that might adversely affect performance, for example, processing indicators from threat intel feeds.

Note

When creating a new custom playbook, by default, the playbook is set to Quiet Mode.

You can run the !getInvPlaybookMetadata command to analyze the size of playbook tasks to determine whether to implement quiet mode for playbooks or tasks.

  1. From the Playbooks page, click the playbook that you want to manage.

  2. In a content pack playbook, detach or duplicate the playbook by clicking the ellipsis icon.

    If you want to reattach a playbook and keep any changes, ensure that you duplicate the playbook before reattaching.

  3. Click Edit.

  4. Click the settings wheel icon.

  5. Edit the following settings as required.

    1. In the Basic section, change the name and description.

      You cannot change the name of a detached playbook.

    2. Add any tags as required, by either typing a new tag or selecting from the dropdown list.

      Tags help you search for a particular playbook, such as Malware.

    3. In the Roles field, from the dropdown list, select the roles for which the playbook is available.

    4. If you want to disable a playbook, uncheck the Enabled checkbox.

      If disabled, you cannot associate it with an incident or incident type.

    5. In the Advanced section, determine whether the playbook runs in quiet mode.

      When Quiet Mode is selected, playbook tasks do not display inputs and outputs and do not extract indicators.

    playbook-settings.png
  6. Click Save all tabs.