Configure a sub-playbook, also to run in a loop.
Playbooks can be divided into two categories, depending on their use.
Parent playbooks are playbooks that run as the main playbook of an alert.
Sub-playbooks are playbooks that are nested under other playbooks. They appear as tasks in the parent playbook flow and are indicated by the sub-playbook icon
. A sub-playbook can also be a parent playbook in a different use case. For example, IP Enrichment - Generic v2 and Retrieve File From Endpoint - Generic v3. These playbooks are usually used as part of a bigger investigation.Since sub-playbooks are building blocks that can be used in other playbooks and use cases, you should define generic inputs for them.
Inputs can be passed to sub-playbooks from the parent playbook, used and processed in the sub-playbook, and sent as output to the parent playbook.
Note
Any change made to a sub-playbook impacts the parent playbook in the next run of the parent playbook.
Sub-playbook loops
Looping uses sub-playbooks to create loops within a parent playbook. When running the loop, the values are calculated based on the context data for the sub-playbook and not the parent playbook.
Note
Consider the following when adding a loop:
The maximum number of loops (default is 100). A high number of loops or a high wait time combined with a large number of alerts may affect performance.
Periodically check looping conditions to ensure they are still valid for the data set.
When the task input is an array, it is iterated automatically (no need to define a loop).
In the Playbooks page, select the parent playbook that contains the sub-playbook task you want to run in a loop.
Click Edit.
If the playbook is installed from a content pack, you need to either detach or duplicate the playbook before editing.
Select the task that contains the sub-playbook for which you want to create the loop.
Click the Loop tab.
Click one of the following options to define loop settings:
None: (Default) The sub-playbook does not loop.
Built-in: Use built-in functions to define loop settings:
Option
Description
Exit when
Enables you to define when to exit the loop. Click {} and expand the source category. Hover over the required source and click Filter & Transform to the left of the source to manipulate the data.
Equals (String)
Select the operator to define how the values should be evaluated.
Max iterations
The number of times the loop should run.
Sleep
The number of seconds to wait between iterations.
recommends that you balance between the number of iterations and the number of seconds to wait between iterations so you don't overload the server.
For each input: Runs the sub-playbook based on defined inputs. Enter the number of seconds to wait between iterations.
Choose Loop automation: Select the automation from the drop-down list to define when to exit the loop. The parameters that appear are applicable to the selected automation.
To save the changes, click OK.