Sub-playbook Tutorial

This tutorial walks you through a playbook to illustrate the use of a sub-playbook loop. subplaybook looping
This tutorial walks you through a playbook to illustrate the use of a sub-playbook loop. It uses the Palo Alto Networks Cortex XDR - Investigation and Response integration which is a point detection and response integration. It receives alerts from incidents. We configure the integration with the Cortex XDR Incident type, and we configure the Cortex XDR Incident type to automatically run the Cortex XDR incident handling v2 playbook.
  1. When an incident of type Cortex XDR Incident occurs, the Cortex XDR incident handling v2 playbook is triggered.
  2. The playbook retrieves the alerts and finds the incidents by fields. If a similar instance is found, the alert is closed as a duplicate.
  3. Under the
    Inputs
    tab of the
    Cortex XDR Alerts Handling Task Details
    window, you can see the list of alerts that the playbook processes.
    Under the
    Loop
    tab, the
    For Each Input
    option is selected, meaning, that the playbook will iterate over the alert IDs that are input.
    At this point, if you search for
    alertid
    in Context Data, these alert IDs appear under the initial incident.
  4. Once the Cortex XDR Alerts Handling sub-playbook runs and enriches these alert IDs, if you search for alert_id in the Context Data, the alert IDs appear under PaloAltoNetworks XDR. This will show enriched data for each of the alert IDs.
  5. Based on the enrichment, the playbook determines if the alert is malware, a port scan, or anything else.
    • If the alert is malware, the malware sub-playbook runs.
    • If the alert is a port scan, the port scan sub-playbook runs.
    • If the alert is not malware or port scan, the playbook completes the processing.
  6. The applicable sub-playbook processes the enriched information and outputs the problematic endpoints.
  7. After completing the processing of an alert ID, the playbook iterates through the remaining inputs until all alert IDs have been processed.

Recommended For You