Sub-Playbook Loop Example - Administrator Guide - 8 - Cortex XSOAR - Cortex - Security Operations

Cortex XSOAR Administrator Guide

Product
Cortex XSOAR
Version
8
Creation date
2023-11-02
Last date published
2024-02-21
Category
Administrator Guide
Abstract

This example illustrates the use of a sub-playbook loop using the Cortex XDR Investigation and Response integration.

This example shows how a sub-playbook loop works using the Palo Alto Networks Cortex XDR - Investigation and Response integration. Sub-playbooks are playbooks that are nested under other playbooks. They appear as tasks in the parent playbook flow and have the sub-playbook icon sub-playbook-icon.png. A sub-playbook can also be a parent playbook.

After you install the Palo Alto Networks Cortex XDR - Investigation and Response content pack, configure the Palo Alto Networks Cortex XDR - Investigation and Response integration to fetch incidents. By default, the integration uses the Cortex XDR classifier, which automatically classifies Cortex XDR incident types. In this example, we are using the Cortex XDR incident type which runs the Cortex XDR incident handling v3 playbook.

Note

Ensure that the integration fetches incidents.

  1. Go to Incidents, open a Cortex XDR incident, and go to the Work Plan tab.

    You can see that incident uses the Cortex XDR incident handling v3 playbook.

  2. The playbook starts retrieving incident data from Cortex XDR and finds similar incidents by fields. If similar incidents are found, the analyst can close them, as duplicates.

  3. If the alert is not a duplicate, the playbook continues to Loop on alert id - Alert enrichment.

  4. The playbook runs the Cortex XDR Alerts Handling sub-playbook in a loop, by categorizing and enriching alerts until completion.

    • Under the Inputs Results tab, you can see the alert_ID that the playbook processes.

      playbook-sub-loop-inputs.png

      To view the looping settings, go to Playbooks and open the Cortex XDR Alerts Handling playbook. In the Inputs tab, view the playbook returns incident and alerts IDs. In the Loop tab, the For Each Input option is selected. This means the playbook iterates over all defined playbook inputs until complete.

    • The playbook determines if the alert is Malware, a port scan, or anything else and enriches according to the category.

      If the alert is Malware, the Malware sub-playbook runs.

      If the alert is a port scan, the port scan sub-playbook runs.

      If the alert is not Malware or port scan, the playbook completes the processing.

    • The applicable sub-playbook processes the enriched information and outputs the problematic endpoints.

    • After completing the processing of an alert ID, the playbook iterates through the remaining inputs until all alert IDs have been processed (looping).

    • Go to the Cortex XDR Alerts Handling playbook task and click the Results tab. You can see information returned and the number of times the playbook has looped.

      playbook-loop-wp.png