Playbooks are a series of tasks, conditions, automations, conditions, commands, and loops that run in a predefined flow to save time and improve efficiency and results of the investigation and response process. They are at the heart of the Cortex XSOAR system, because they enable you to automate many security processes, including handling investigations and managing tickets. You can also structure and automate security responses that were previously handled manually. For example, a playbook task can parse the information in an incident, whether it is an email or a PDF attachment.
Playbooks have different task types for each of the actions you want to take. For example:
Use manual tasks when an analyst needs to confirm information or escalate an incident.
Use conditional tasks to validate conditions based on values or parameters and take appropriate direction in the playbook workflow.
Use communication tasks to interact with users in your organization
Use automation tasks to automatically remediate an incident by interacting with a third-party integration, open tickets in a ticketing system such as Jira, or detonate a file using a sandbox.
Playbooks run during the investigation and response stage of the incident lifecycle. But you actually start defining the logical flow of your playbook during the initial planning stage when designing your use case. At this stage you need to consider the following:
What actions do you need to take?
What conditions apply along the way? Are these conditions manual or automatic?
Do you need to include looping?
Are there any time-sensitive aspects to the playbook?
When is the incident considered remediated?
Note
You can create a new playbook or update an existing playbook from a content pack.