Playbook permissions

Abstract

Configure playbook permissions.

Playbooks are automated response workflows. By default, the Playbooks permission is set to Disabled. To set it to Enabled, you must first set Scripts to Enabled. When you enable Playbooks, you can then set Cases and Issues to View or View/Edit.

Important

Playbooks are a prerequisite for the entire Investigation & Response workspace. You cannot set Cases and Issues to View/Edit unless Playbooks is Enabled.

Cortex XSIAM enforces least-privileged per-object access by allowing you to manage access for custom (user-defined) playbooks. For more information, see Manage access to objects.

Permission

Description

Roles Example

Enabled

Users can browse the playbook library and are granted access depending on their per-object access and sub-permissions explained below. Some of the additional options can include:

  • Create, edit, and delete playbooks

  • Enable/disable playbooks

  • Import and duplicate playbooks

  • Select a playbook on Issues

  • View the visual task-flow of a playbook

  • See the "Work Plan" within a case, when they have access to Cases and Issues (under Cases & Issues)

When set to Enabled, you can grant the following additional permissions:

  • Create Playbooks: Enables all methods for adding playbooks to Cortex XSIAM. This includes the Build New Playbook button, as well as the ability to Duplicate, Attach, or Detach playbooks. The user who performs these actions is automatically designated as the Owner.

  • Edit Public Playbooks: Allows the user to modify custom playbooks set to Public, even if they are not the Owner.

  • Unlock: Enables unlocking playbooks locked by other users during concurrent editing and overrides the lock when another user is editing.

Note

Playbooks can only be Enabled when Scripts are Enabled first.

  • SOC Tier-1 and 2 Analysts and Threat Hunters: Need visibility into playbooks but should not modify them.

  • SOC Tier 3 Analysts: Run playbooks on issues.

  • Security Engineer: Security Engineers need full playbook capabilities for advanced development.

Disabled

Cannot access the Playbooks page, view any playbook configurations, see the playbook execution status (unless they access to the issue), and access the Workplan in cases/issues.

Note

Playbooks can only be Disabled after Cases and Issues (under Cases & Issues) are set to None first.