What is a playbook? - Administrator Guide - 8.5 - Cortex XSOAR - Cortex - Security Operations

Cortex XSOAR On-prem Documentation

Product
Cortex XSOAR
Version
8.5
Creation date
2024-03-10
Last date published
2024-12-12
Category
Administrator Guide
Solution
On-prem
Abstract

Cortex XSOAR playbooks enable you to structure and automate many of your security processes. Parse incident information, interact with users, and remediate.

Playbooks are a series of tasks, automations, conditions, commands, and loops that run in a predefined flow to save time and improve the efficiency and results of the investigation and response process. They are at the heart of the Cortex XSOAR system, because they enable you to automate many security processes, including handling investigations and managing tickets. For example, a playbook task can parse the information in an incident, whether it is an email or a PDF attachment.

Playbooks have different task types for each action you want to take. For example:

  • Use manual tasks when an analyst needs to confirm information or escalate an incident.

  • Use conditional tasks to validate conditions based on values or parameters and take appropriate direction in the playbook workflow.

  • Use communication tasks to interact with users in your organization.

  • Use automation tasks to automatically remediate an incident by interacting with a third-party integration, open tickets in a ticketing system such as Jira, or detonate a file using a sandbox.

You can also structure and automate security responses that were previously handled manually.

You define the logical flow of your playbook when you design your use case. After developing and testing the playbook, it then runs during investigation and response.

Note

Cortex XSOAR currently does not support the IoT Security Third-party Integrations Add-on . For more information, see the IoT Security documentation.