Create a Conditional Task - Playbook Design Guide - 8 - Cortex XSOAR - Cortex - Security Operations

Cortex XSOAR Playbook Design Guide

Product
Cortex XSOAR
Version
8
Creation date
2024-09-21
Last date published
2024-09-22
Category
Playbook Design Guide
Abstract

Create a conditional task in a Cortex XSOAR playbook.

Conditional tasks are used for determining different paths for your playbook. You can use conditional tasks for something simple like proceeding if a certain integration exists, or if a user account has an email address.

Alternatively, you can use conditional tasks for more complex situations. For example, if an indicator was enriched and the verdict was set to malicious, escalate the incident for managerial approval. However, if the indicator reputation is unknown or benign, proceed down a different route.

If the playbook was installed from a content pack, duplicate or detach the playbook, before creating a conditional task.

  1. In a playbook, click + (Create task).

  2. Select the Conditional option.

  3. In the Task Name field, type a meaningful name for the task that corresponds to the data you are collecting.

  4. Select the required option based on the conditional task.

    Option

    Description

    Built-in

    Creates a logical statement using an entity from within the playbook. For example, in an access investigation playbook, you can determine that if the Asset ID of the person whose account was being accessed exists in a VIP list, set the incident severity to High. Otherwise, proceed as normal.

    Manual

    Creates a conditional task that must be manually resolved. For example, a security analyst is prompted to review and validate a suspicious file. The playbook task might involve instructions for the analyst to analyze the file, determine if it is malicious, and provide feedback or take specific actions based on their assessment.

    Ask

    Creates an Ask Task, the answer to which determines how a playbook proceeds.

    Choose script

    Creates a conditional task based on the result of a script. For example, check if an IP address is internal or external using the IsIPInRanges script. When using a script, the Inputs and Outputs are defined by the script.

  5. Complete the task configuration in the remaining tabs. Some configurations are required, and some are optional.

  6. Click Save.