Playbook tasks - Administrator Guide - 8.5 - Cortex XSOAR - Cortex - Security Operations

Cortex XSOAR On-prem Documentation

Product
Cortex XSOAR
Version
8.5
Creation date
2024-03-10
Last date published
2024-10-31
Category
Administrator Guide
Solution
On-prem
Abstract

Create playbook tasks and link them to form the playbook flow.

Tasks are the building blocks of playbooks. Cortex XSOAR supports different task types for different actions to be taken in a playbook. Each task type requires different information and provides different capabilities. Choose your task type based on what you want to accomplish in the task. For example, for enrichment, you might want to run an enrichment sub-playbook or a command that returns additional information for an indicator.

When developing a playbook, you create the relevant playbook tasks and link them to form the playbook flow. There are different task types according to the actions you want to take, and each task can receive and generate data in the form of inputs and outputs.

Task type

Description

Section

Use a section header task to group related tasks to organize and manage the flow of your playbook.

Section headers can also be used for time tracking between phases in a playbook. This data can be used to display in dashboards and report time trends.

For example, in a phishing playbook you would have a section for the investigative phase of the playbook such as indicator enrichment, and a section for communication tasks with the user who reported the phishing.

For more information, Create a section header.

Standard

Standard tasks can be manual tasks such as manual verification to prompt an analyst to verify the severity or classification of an incident before proceeding with automated actions. They can also be automated tasks such as parsing a file or enriching indicators.

Automated tasks are based on scripts that exist in the system. These scripts can be created by you or come out-of-the-box as part of a content pack. For example, the !ad-get-user command retrieves detailed information about a user account using the Active Directory Query V2 integration.

You can also automatically remediate an incident by interacting with a third-party integration, open tickets in a ticketing system such as Jira, or detonate a file using a sandbox.

For more information, see Create a standard task.

Conditional

Use conditional tasks to validate conditions based on values or parameters and take appropriate direction in the playbook workflow, like a decision tree in a flow chart.

For example, a conditional task may ask whether indicators are found. If yes, you can have a task to enrich them, and if not you can proceed to determine that the incident is not malicious. Alternatively, you can use conditional tasks to check if a certain integration is available and enabled in your system. If yes, you can use that integration to perform an action, and if not, you can continue on a different branch in the decision tree.

Conditional tasks can also be used to communicate with users through a single question survey, the answer to which determines how a playbook will proceed.

For more information, see Create a conditional task.

Communication

Use a communication task to interact with users through a survey, for example to collect responses or escalate an incident.

All responses are collected and recorded in the incident context data, from a single user or multiple users. You can use the survey questions and answers as input for subsequent playbook tasks.

You can collect responses in custom fields, for example, a grid field.

For more information, see Create a communication task.