This tutorial walks you through a playbook to illustrate
the use of a sub-playbook loop. subplaybook looping
This tutorial walks you through a playbook
to illustrate the use of a sub-playbook loop. It uses the Palo Alto
Networks Cortex XDR - Investigation and Response integration which
is a point detection and response integration. It receives alerts
from incidents. We configure the integration with the Cortex XDR
Incident type, and we configure the Cortex XDR Incident type to
automatically run the Cortex XDR incident handling v2 playbook.
When an incident of type Cortex XDR Incident occurs,
the Cortex XDR incident handling v2 playbook is triggered.
The playbook retrieves the alerts and finds the incidents
by fields. If a similar instance is found, the alert is closed as
tab of the
XDR Alerts Handling Task Details
window, you can see
the list of alerts that the playbook processes.
For Each Input
option is selected, meaning,
that the playbook will iterate over the alert IDs that are input.
this point, if you search for
Context Data, these alert IDs appear under the initial incident.
Once the Cortex XDR Alerts Handling sub-playbook runs and
enriches these alert IDs, if you search for alert_id in the Context
Data, the alert IDs appear under PaloAltoNetworks XDR. This will
show enriched data for each of the alert IDs.
Based on the enrichment, the playbook determines if the alert
is malware, a port scan, or anything else.
alert is malware, the malware sub-playbook runs.
If the alert is a port scan, the port scan sub-playbook runs.
If the alert is not malware or port scan, the playbook completes
The applicable sub-playbook processes the enriched information
and outputs the problematic endpoints.
After completing the processing of an alert ID, the playbook
iterates through the remaining inputs until all alert IDs have been