Communication Tasks - Administrator Guide - 8 - Cortex XSOAR - Cortex - Security Operations

Cortex XSOAR Administrator Guide

Product
Cortex XSOAR
Version
8
Creation date
2024-09-18
Last date published
2024-11-28
Category
Administrator Guide
Solution
Cloud
Retire_Doc
Retiring
Link_to_new_Doc
/r/Cortex-XSOAR/8/Cortex-XSOAR-Cloud-Documentation
Abstract

Communication tasks in Cortex XSOAR playbooks enable you to send surveys and collect data.

Communication tasks enable you to send surveys internally and externally to users to collect data for an incident. The collected data can be used for incident analysis, and as input for subsequent playbook tasks. For example, you may want to send a scheduled survey requesting analysts to send specific incident updates, or send a single (standalone) question survey to determine how an issue was handled.

Ask Tasks

The Ask conditional task is a single question survey, the answer to which determines how a playbook proceeds. If you send the survey to multiple users, the first answer received is used, and subsequent responses are disregarded.

Users interact with the survey directly from the message, meaning the question appears in the message and they click an answer from the message.

The survey question and the first response are recorded in the incident's context data. This enables you to use this response as the input for subsequent playbook tasks.

As it is a conditional task, you need to create a condition for each of the answers. For example, if the survey answers include, Yes, No, and Maybe, there should be a corresponding condition (path) in the playbook for each of these answers.

For all Ask conditional tasks, a link is generated for each possible answer the recipient can select. If the survey is sent to more than one user, a unique link is created for each possible answer for each recipient. By default, these links are visible in the context data of the Incident's Work Plan. The links appear under Ask.Links in the context data. To hide these links, set the comm.ask.linktocontext.enabled server configuration to false.

Data Collection Tasks

The Data Collection task is a multi-question survey (form) that survey recipients access from a link in the message. Users do not need to log in to access the survey, which is located on a separate site.

All responses are collected and recorded in the incident's context data, whether you receive responses from a single user or multiple users. This enables you to use the survey questions and answers as input for subsequent playbook tasks.

The following are examples of integrations that can use Data Collection tasks:

  • Email (EWS, Mail Sender, etc.)

  • Microsoft Teams

  • Slack

Note

You can collect responses in custom fields, for example, a Grid field.

For all Data Collection tasks, a single link is generated for each recipient of the survey. By default, these links are visible in the context data of the Incident's Work Plan. The links appear in the context data under the Links section of that survey. To hide the links, set the comm.datacollection.linktocontext.enabled to false.