Playbook Tasks - Administrator Guide - 6.5 - Cortex XSOAR - Cortex - Security Operations

Cortex XSOAR Administrator Guide

Product
Cortex XSOAR
Version
6.5
Creation date
2022-09-28
Last date published
2024-03-21
End_of_Life
EoL
Category
Administrator Guide
Abstract

Cortex XSOAR playbook tasks, including conditional tasks and communication tasks.

Tasks are the building blocks of playbooks. Cortex XSOAR supports different task types for the different aspects of the playbook. Each task type requires different information and provides different capabilities. You should choose your task type based on what you want to accomplish in the task. For example, for enrichment, you might want to run an enrichment sub-playbook or a command that returns additional information for an indicator.

Task Types

Playbooks use the following task types:

  • Standard tasks

    Standard tasks range from manual tasks like creating an incident or escalating an existing incident, to automated tasks such as parsing a file, or enriching indicators. Automated tasks are based on scripts that exist in the system. These scripts can be something that you created, or from a a content pack that includes scripts. For example, the !file command enables you to enrich a file using any number of integrations that you have installed in your system, such as Palo Alto Networks Wildfire v2. Alternatively, the !ADGetUser command is specific to the Active Directory content pack integration.

  • Conditional tasks

    Conditional tasks are used like a decision tree in your flow chart. For example, a conditional tasks may ask whether indicators are found. If yes, you can have a task to enrich them, but if not you can proceed to determine that the incident is not malicious. Alternatively, you can use conditional tasks to check if a certain integration is available and enabled in your system. If so, you can use that integration to perform an action, but if not, you can continue on a different branch in the decision tree.

  • Conditional tasks can also be used to communicate with users through a single question survey, the answer to which determines how a playbook will proceed.

  • Data Collection tasks

    Data collection tasks are used to interact with users through a survey. The survey resides on an external site that does not require authentication, thereby allowing survey recipients to respond without restriction.

    All responses are collected and recorded in the incident's context data, whether you receive responses from a single user or multiple users. This enables you to use the survey questions and answers as input for subsequent playbook tasks.

    Note

    You can collect responses in custom fields, for example, a Grid field.

  • Section headers

    Section headers are used to manage the flow of your playbook and help you organize your tasks efficiently. You create a Section Header task to group a number of related tasks under the Section Header, as you would items in a warehouse or topics in a book.

    Section headers can also be used for time tracking between phases in a playbook. This data can be used to display in dashboards and report time trends.

    For example, in a phishing playbook, you would have different sections for the investigative aspect of the playbook, such as indicator enrichment, and the tasks for communication with the user who reported the phishing.