Set playbook inputs and outputs - Administrator Guide - Cortex XSIAM - Cortex - Security Operations

Cortex XSIAM Documentation
Product
Cortex XSIAM
Creation date
2024-03-06
Last date published
2025-03-17
Category
Administrator Guide
Abstract

Use an out-of-the-box playbook, create a new playbook, or customize an existing one based on your organization's needs.

Depending on the task type that you select and the script that you are running, your playbook task may have inputs and outputs.

Inputs are data pieces used in a task. The inputs are often manipulated or enriched and they produce outputs. Outputs generated from the result of a task or command can be used as inputs to subsequent tasks or as information generated to help resolve or escalate an investigation.

An input may come from an alert, such as the role to assign an incident to, or an input can be provided by an integration, for example the Active Directory integration can be used in a task to extract a user's credentials.

At the beginning of any playbook, click the Playbook Triggered task and enter the playbook inputs and outputs, grouping them as relevant.

Use the task cheat sheet to use context keys in playbook inputs and outputs

When you create your playbook task inputs, the task cheat sheet enables quick access to system and custom fields to populate playbook task inputs and outputs.

  1. Click playbook-brackets.png.

    The cheat sheet opens displaying alert fields.

  2. Select an alert field, it populates the task input with the corresponding context key.

    xsiam-playbook-cheat-sheet.png
Example 32. 

The following example uses alert context data as the playbook input from the Access Investigation - Generic playbook.

Click the top task Playbook Triggered. The playbook is triggered based on incident context data.

Inputs

The first two inputs are SrcIP, retrieved from the incident.src key, and DstIP, retrieved from the incident.dest key.

access-investigation-pb-2.png

Outputs

The Access Investigation - Generic playbook creates an output object that can be used in subsequent playbook tasks.

For example, the Access Investigation - Generic playbook Endpoint.IP output creates a list of endpoint IP addresses which can later be enriched by an IP enrichment task, and the Endpoint.MAC output creates a list of endpoint MAC addresses which can be used to get information about the hosts that were affected by the alerts.

For example, the Access Investigation - Generic playbook Endpoint.IP output creates a list of endpoint IP addresses which can later be enriched by an IP enrichment task, and the Endpoint.MAC output creates a list of endpoint MAC addresses which can be used to get information about the hosts that were affected by the incidents.

Outputs can also be data that was extracted or derived from the inputs. For example, the Access Investigation - Generic playbook contains the Account Enrichment - Generic v2.1 sub-task, which uses the account username (and optionally domain) as input to Active Directory to retrieve user information as output, such as the user's email address, manager, and any groups to which they belong.

An output can then serve as input for a subsequent task. For example, in the Account Enrichment - Generic v2.1 sub-task, the Get account info from Active Directory task output Account.Username is used as an input for the Active Directory - Get User Manager Details task to retrieve manager details for that user.


Group playbook inputs and outputs

Playbook input and output fields are collected into groups. This organizes the inputs and outputs, providing clarity and context to understand which inputs are relevant to which playbook flow.

For example, the following playbook inputs are grouped under Mailbox selection.

playbook-input-grouping.png
Playbook group permissions

Users with permission to edit playbooks can add, edit, and delete groups and input and output fields. Users without this permission can only view groups, inputs, and outputs.

Work with playbook groups

You can do the following with groups:

  • Add or delete a group. Deleting a group deletes all the fields defined in the group.

  • Change the name and/or description of the group.

  • Change the order groups appear by dragging.

  • Collapse and expand a group.

How to add a new group

  1. Click + Add Input Group or + Add Output Group.

  2. Enter a group name and description and click the check mark.

  3. Add fields to the group.

    Note

    If you do not add any fields, the group will be deleted when you click Save.

Manage input or output fields within a group

You can do the following with input or output fields within a group:

  • Add, edit, or delete fields within a group. Input or output fields are always part of a group.

  • Move fields between groups by dragging.

  • Change field order within a group by dragging.

How to add an input or output field in a group

Inputs

  1. Within a group, click + Add Input at the bottom of the list of input fields. You may need to scroll down to see it.

  2. Enter the input field Name (required), Value, and Description.

  3. When you are done adding fields, click Save.

Outputs

  1. Within a group, click + Add Output or + Add Manually at the bottom of the list of output fields. You may need to scroll down to see these options.

    • If you click + Add Output, select from the outputs from previous tasks.

    • If you click + Add Manually, enter the context path and description for the output.

  2. When you are done adding fields, click Save.