Cortex XSIAM playbooks and tasks have inputs (data from incident or integration) and outputs that can then be used as input in other tasks.
Playbooks and tasks have inputs, which are data pieces that are present in the playbook or task. The inputs are often manipulated or enriched and they produce outputs. The inputs might come from the alert itself, such as the role to whom to assign the incident, or an input can be provided by an integration. For example, when an Active Directory integration is used in a task to extract a user's credentials.
Note
The example below uses alerts context data as the playbook input from the Access Investigation - Generic playbook. Threat Intel playbooks use indicators as the playbook input.
Click the Playbook Triggered task. We see a playbook that is triggered based on context data, meaning an incident. The first two inputs are the SrcIP, which comes from the incident.src key, and DstIP, which is retrieved from incident.dst.
In addition, the playbook itself creates an output object whose entries serve the tasks throughout the playbook.
For example, we create a list of endpoint IP addresses which can later be enriched by an IP enrichment task, or a list of endpoint MAC addresses, which can be used to get information about the hosts that were affected by the alerts.
Outputs can also be data that was extracted or derived from the inputs. For example, in the following image we received the user's credentials from Active Directory, and used those credentials to retrieve the user's email address, manager, and any groups to which they belong.
An output can then serve as input for a subsequent task. For example, the user's manager who was returned as an output in the image above, can be used as an input to retrieve information from Active Directory.
Notice that the input for this task is Account.Manager, which is the output we highlighted in the playbooks inputs, above.