Create a Job

Create a time triggered or feed triggered job in Cortex XSOAR to run a playbook.
You can use jobs to run playbooks in Cortex XSOAR. Jobs can be time triggered and run at specific times or event triggered and run when there are changes to a feed. For example, you can define an event triggered job to run a playbook when a specified TIM feed finishes a fetch operation for new indicators. Or you can schedule a time triggered job that runs nightly and removes expired indicators.
For a more in depth example of using an event triggered job, read the tutorial for Adding Indicators to a SIEM.

Create a Time Triggered Job

Time triggered jobs run at pre-determined times. You can schedule the job to run at a recurring time or one time at a specific date and time.
  1. Navigate to
    Jobs
    .
  2. Click
    New Job
    .
  3. Confirm that
    Time triggered
    is selected.
  4. Select the date and time the job should run. If you want the job to repeat at regular intervals, select the
    Recurring
    checkbox and choose the desired interval.
    You can choose to run the job every X number of days, on specific days of the week, at a specific time and also choose a start date and an expiration date. You have the option to configure the recurring job using a cron expression. To do so, after selecting the
    Recurring
    checkbox, click
    Switch to Cron view
    and enter the expression. For assistance in defining the cron expression, click
    Show cron examples
    after switching to cron view.
  5. Add any relevant tags.
  6. Enter a name for the job.
  7. Assign a playbook to run when the job is triggered.
  8. Enter any relevant non custom and custom fields.
    See the Job Fields Reference for the full list of non custom fields.
  9. Select whether to notify the owner of the job if the job is triggered while a previous instance of the job is active.
  10. Select an option to use if the job is triggered while a previous instance of the job is active:
    • Don’t trigger a new job instance.
    • Cancel the previous job instance and trigger a new job instance.
    • Trigger a new job instance and run concurrently with the previous instance.
  11. Click
    Create new job
    .

Create an Event Triggered Job

Event triggered jobs run when a feed has completed an operation and there is a change in the content. For the job to trigger, there must be a delta between the incoming feed and the previous one.
An event triggered job only runs if there is a change in the feed, and does not run on a feed’s initial fetch. If this is the initial fetch, you can run the playbook manually the first time and then set up an event triggered job for subsequent fetches.
  1. Navigate to
    Jobs
    .
  2. Click
    New Job
  3. Select
    Triggered by delta in feed
    .
  4. Select if the job should be triggered based on a specific feed or based on any feed. If the job will be triggered based on a specific feed, select the feed from the drop-down.
  5. Enter a name for the job.
  6. Assign a playbook to run when the job is triggered.
  7. Add any relevant tags.
  8. Click
    Create new job
    .

Job Fields Reference

Name
Description
Recurring
Determine if the job is triggered at a pre-determined time interval.
Tags
Add tags to apply to the job. You can use these tags as a search parameter in the system.
Name
Enter a meaningful name for the job.
Owner
Assign an owner to the incident.
Role
Select the role who can access the incident.
Type
Determine the incident type created by this job.
Severity
Determine the severity of the incident that is created.
Playbook
Determine which playbook to run when this job is triggered.
Labels
Select the labels that are available in the incident type.
Phase
Select the phase of the investigation in which this incident is opened.
Details
Add details that should appear within the incident.
Attachments
Add attachments to the job.
Notify the owner
Sends a message to the job owner using one of the notification methods configured in Cortex XSOAR.

Recommended For You