Add ad-hoc tasks to a Work Plan as part of your investigation - Administrator Guide - 8 - Cortex XSOAR - Cortex - Security Operations

Cortex XSOAR Cloud Documentation

Product
Cortex XSOAR
Version
8
Creation date
2024-03-07
Last date published
2024-11-14
Category
Administrator Guide
Solution
Cloud
Abstract

Add ad-hoc tasks to a Work Plan in Cortex XSOAR for a specific iteration of a playbook.

As part of your incident investigation, within the Work Plan you can create tasks for a specific iteration of a playbook. The task type can be an automation or another playbook. For example, within a manual task, you might need to enrich some data and run an investigation playbook.

When you create a task, add a name, automation, and description. The name and description should be meaningful so that the task corresponds to the data that you are collecting.

  1. In the Work Plan, go to the task where you want to add and click the + sign at the bottom right-hand corner of the task.

    The ad-hoc task is added after the task on which you clicked.

  2. Select the task type.

    • Standard: Runs a single automation.

    • Playbook: Runs a playbook to enhance the investigation.

      The playbook functions as any playbook would and requires you to define the inputs and outputs, as well as any other details.

  3. Click Save.

  4. To run the Work Plan again, click the Run again icon.

Example 27. 

For a phishing investigation, after the initial playbook run parses the email and extracts email addresses, as part of the manual investigation, you could use the Email Address Enrichment - Generic v2.1 playbook as an ad-hoc playbook task to get more information about these email addresses.