What Are Playbooks? - Administrator Guide - 8 - Cortex XSOAR - Cortex - Security Operations

Cortex XSOAR Administrator Guide

Product
Cortex XSOAR
Version
8
Creation date
2024-09-18
Last date published
2024-09-26
Category
Administrator Guide
Solution
Cloud
Retire_Doc
Retiring
Link_to_new_Doc
/r/Cortex-XSOAR/8/Cortex-XSOAR-Cloud-Documentation
Abstract

Cortex XSOAR playbooks enable you to structure and automate many of your security processes. Parse incident information, interact with users, and remediate.

Playbooks are a series of tasks, conditions, automations, commands, and loops that run in a predefined flow to save time and improve efficiency and results of the investigation and response process. They are at the heart of the Cortex XSOAR system, because they enable you to automate many security processes, including handling investigations and managing tickets. You can also structure and automate security responses that were previously handled manually. For example, a playbook task can parse the information in an incident, whether it is an email or a PDF attachment.

Playbooks have different task types for each of the actions you want to take. For example:

  • Use manual tasks when an analyst needs to confirm information or escalate an incident.

  • Use conditional tasks to validate conditions based on values or parameters and take appropriate direction in the playbook workflow.

  • Use communication tasks to interact with users in your organization

  • Use automation tasks to automatically remediate an incident by interacting with a third-party integration, open tickets in a ticketing system such as Jira, or detonate a file using a sandbox.

Playbooks run during the investigation and response stage of the incident lifecycle. But you actually start defining the logical flow of your playbook during the initial planning stage when designing your use case. At this stage you need to consider the following:

  • What actions do you need to take?

  • What conditions apply along the way? Are these conditions manual or automatic?

  • Do you need to include looping?

  • Are there any time-sensitive aspects to the playbook?

  • When is the incident considered remediated?

Note

  • You can create a new playbook or update an existing playbook from a content pack.

  • Cortex XSOAR 8 currently does not support the IoT Security Third-party Integrations Add-on. For more information, see the IoT Security documentation.