Playbook Task Fields - Administrator Guide - 6.9 - Cortex XSOAR - Cortex - Security Operations

Cortex XSOAR Administrator Guide

Product
Cortex XSOAR
Version
6.9
Creation date
2022-09-29
Last date published
2024-06-20
End_of_Life
EoL
Category
Administrator Guide
Abstract

All of the fields available when defining a playbook task in Cortex XSOAR.

This page lists all of the fields that are available when defining a playbook task. The fields that appear depend on the task type you select.

Manual task settings Fields

These fields are relevant for Standard tasks and Condition Manual tasks.

Name

Description

Default assignee

Assign an owner to this task.

Only the assignee can complete the task

Stop the playbook from proceeding until the task assignee completes the task. By default, in addition to the task assignee, the default administrator can also complete the blocked task. You can also block tasks until a user with an external email address completes the task.

Set task reminder

Define a reminder for the task, in weeks, days, or hours.

Field Mapping

Map output from a playbook task directly to an incident field. You can map when you select an automation in a Standard or Conditional task.

Note

The output value is dynamic and is derived from the context at the time that the task is processed. As a result, parallel tasks that are based on the same output, might return inconsistent results.

  1. In the Mapping tab, click Add custom output mapping.

  2. Under Outputs, select the output parameter whose output you want to map. Click the curly brackets to see a list of the output parameters available from the automation.

  3. Under Field to fill, select the field that you want to populate with the output.

  4. Click Save.

Advanced Fields

Relevant for Standard Tasks that use an automation and Conditional tasks (Ask Tasks and automations).

Name

Description

Using

Determine which integration instance processes the script you select for this task.

Extend context

Determine which information from the raw JSON you want to add to the Context Data. This must be entered as contextKey=RawJsonOutputPath.

Ignore outputs

When selected, this takes the results from the Extend context field and overwrites existing output.

Execution timeout (seconds)

Define how long a command waits, in seconds, before it times out.

Indicator Extraction mode

Determines whether to extract indicators from this task, and if so, which method. Valid values are:

  • Use system default: Use the option defined in the system configuration.

  • None: Indicators are not automatically extracted. Use this option when you do not want to automatically extract and enrich the indicators.

  • Inline: Indicators are extracted and enriched within the task. Use this option when you need to have the most robust information available per indicator.

    This configuration slows down your system performance.

  • Out of band: Indicators are enriched in parallel (or asynchronously) to other actions. The enriched data is available within the incident, however, it is not available for immediate use in task inputs or outputs since the information is not available in real time.

Mark results as note

Select to make the task results available as a note. When the task is executed in the War Room the entry from that task is marked as a note automatically, which makes it easier to filter and identify entries from that task. Notes from the War Room can also be added as a section in a layout which can then be exported.

playbook-notes.png

Mark results as evidence

Select to make the task results available as evidence, which creates an evidence entry in the War Room. You can view evidence in the incident Evidence Board  tab or by adding an evidence section in the layout. Evidence provides a quick overview to make it simpler to identify key pieces of information or incident artifacts . This can help you understand the security incident and actions taken.

playbook-evidence.png

Run without a worker

Select to execute the task without requiring a worker. When cleared, the task will only execute when there is a worker available.

Quiet Mode

Determine if this task operates in Quiet Mode. When in Quiet Mode, tasks do not display inputs and outputs, nor do they extract indicators. Errors and Warnings are still documented. You can turn Quiet Mode on or off for a given task or control Quiet Mode by what is defined at the playbook level.

Details Fields

These fields apply to all tasks.

Name

Description

Tag the result with

Add a tag to the task result. You can use the tag to filter entries in the War Room or create custom searches to populate incident layout sections.

Note

You can also filter by task ID. However, task ID can change if the playbook is used as a sub-playbook.

You can use tags as a placeholder to then close with an automation for scheduling or response tasks.

Task Description

Provide a description of what this task achieves.

You can enter objects from the context data in the description. For example, in a communication task, you can use the recipient’s email address.

The value for the object is based on what appears in the context every time the task runs.

Timers Fields

Relevant for all fields.

Name

Descriptions

Timer action

Determine which action to take when the timer is triggered. Valid values are: Start, Stop, and Pause.

Select timer field

Select the field on which the timer is applied.

On Error Fields

Relevant for Standard Tasks that use an automation and Conditional tasks that use an automation. For more information about error handing, see Handle Errors in a Playbook.

Field

Description

Number of retries

Determines how many times the script attempts to run before generating an error. Default is 0 times (no tries). To change the default, add the following server configuration by going to SettingsABOUTTroubleshooting and add the following (with the number of tries in the value field):

modules.execute.retries.count.maximum

Retry interval (seconds)

Determines the wait time (in seconds) between each execution of the script. Default is 30 seconds. To change the default, add the following server configuration by going to SettingsABOUTTroubleshooting and add the following (with the number of tries in the value field):

modules.execute.retries.interval.maximum

Error handling

Determines how a playbook task behaves if there are automation errors during execution.

  • Stop: The playbook stops, if the task errors.

  • Continue: The playbook continues to execute if the task errors.

  • Continue on error path: If the task errors, the playbook continues on an error path. You have the option to create a separate, standard path or use a separate error path, which can handle all errors.

Message Body Fields

These fields are relevant for Data Collection and Ask tasks.

Field

Description

Ask by

The method for sending the message and survey. If you de-select Email the Task Only method is enforced, meaning users can complete the survey from the Work Plan.

To

The message and survey recipients. There are several ways to define the recipients.

User role: Click inside the field to select a user role. All users assigned to the role will receive the message and survey.

Email address: Manually type email addresses for Cortex XSOAR users and/or external users.

Context: Click the context icon to define recipients from context data.

CC

The recipients of a copy of the message and survey. There are several ways to define the recipients.

User role: Click inside the field to select a user role. All users assigned to the role will receive the message and survey.

Email address: Manually type email addresses for Cortex XSOAR users and/or external users.

Context: Click the context icon to define recipients from context data.

Subject

The message subject that displays to message recipients. You can make the survey question the subject, but if you don't write the question here, you should write the question in the message body field.

Message/Message body

The text that displays in the body of the message. Although this field is optional, if you don't write the survey question in the Subject field, you should include it in the message body. This is a long-text field.

Reply Options

The answers that display in the message, which users can select directly from the message.

Require users to authenticate

Enables you to use SAML or AD to authenticate the recipient before answering. You must set up an authentication automation. For more information about SAML see SAML 2.0.

Timing Fields

These fields are relevant for a Condition Ask task and a Data Collection task.

The configuration options in the Timing tab define the frequency that the message and survey are resent to recipients before the first response is received, and the task SLA.

Field

Description

Retry interval (minutes)

Determine the wait time between each execution of a command. For example, the frequency (in minutes) that a message and survey are resent to recipients before the response is received.

Number of retries

Determine how many times a command attempts to run before generating an error. For example, the maximum number of times a message is sent. If a reply is received, no additional retry messages will be sent.

Task SLA

Define the deadline for the task, in weeks, days, or hours.

Complete and expire automatically if (Data Collection task)

Choose to configure either of the following options, so that either one will trigger a stop to the playbook:

  1. Reaching the task SLA (with or without a reply)

  2. Received X number of replies

Complete automatically if SLA passed without a reply (Ask task)

Select this checkbox to complete the task if the SLA is breached before a reply is received. You can select yes or no.

Questions Fields

Relevant for Data Collection tasks.

Standalone questions

Field

Description

Web Survey Title

The title of the web survey.

Short Description

A short description that displays above the questions in the web survey.

Question

A question to ask recipients.

Answer Type

The field type for the answer field. Valid values are:

  • Short text

  • Long text

  • Number

  • Single Select (requires you to define a reply option)

  • Multi select/Array (requires you to define a reply option)

  • Date picker

  • Attachments

Mandatory

If this checkbox is selected for a question, survey recipients will not be able to submit the survey until they answer this question.

Help Message

The message that displays when users hover over the question mark help button for the survey question.

Placeholder

The empty value text that displays in the question's answer field.

Field-based questions

Field

Description

Question

The question that displays before the field for users to complete. This field doesn't necessarily need to be a question, it can also be a descriptive sentence explaining how users should complete the field.

Field associated with this question

The field associated with the question will automatically take all the parameters from the field definition, unless otherwise defined.

Mandatory

If this checkbox is selected for a question, survey recipients will not be able to submit the survey until they answer this question.

Help Message

The message that displays when users hover over the question mark help button for the survey question.