Jobs - Administrator Guide - 8 - Cortex XSOAR - Cortex - Security Operations

Cortex XSOAR Administrator Guide

Cortex XSOAR
Creation date
Last date published
Administrator Guide

Jobs run playbooks and are either time-triggered (run at specific times) or event triggered (run when there are changes to a feed).

Jobs enable you to run playbooks based on certain events or on a specific time and date. You can define the following jobs:

  • Time triggered job: Jobs can be time triggered and run at specific times. For example, you can schedule a time triggered job that runs nightly and removes expired indicators.

  • Job triggered by delta in a feed: Jobs can be triggered according to an event and run when there are changes to a feed. For example, you can define an event triggered job to run a playbook when a specified TIM feed finishes a fetch operation for new indicators.


When configuring the playbook a job triggers, make sure the playbook closes the investigation before running a new job.

You can see how to set up a playbook to take indicators from a TIM feed in Process Indicators Using a Job Triggered By Delta in Feed. You can also Add Indicators to SIEM Using a Time Triggered Job.

In the Jobs page, you can see how many jobs are running, waiting, in error, etc. You can also take actions such as creating a new job, editing, running, disabling, etc. When you create a job, it is added to the job table and an incident is usually created. If you select the job, you can see the Work Plan and the War Room for the incident.