Playbooks and tasks have inputs, which are data pieces that are present in the playbook or task. The inputs are often manipulated or enriched and they produce outputs. The inputs might come from the incident itself, such as the role to whom to assign the incident, or an input can be provided by an integration. For example, when an Active Directory integration is used in a task to extract a user's credentials.
You can add playbook inputs from context data and from indicators. Some playbooks such as Threat Intel Management playbooks use indicators as the playbook input.
The example below uses incident context data as the playbook input.
In the image above, we see a playbook that is triggered based on context data, meaning an incident. The first two inputs are the
SrcIP, which comes from the
incident.src key, and
DstIP, which is retrieved from
In addition, the playbook itself creates an output object whose entries serve the tasks throughout the playbook.
For example, we create a list of endpoint IP addresses which can later be enriched by an IP enrichment task, or a list of endpoint MAC addresses, which can be used to possibly get information about the hosts that were affected by the incident.
Outputs can also be data that was extracted or derived from the inputs. For example, in the following image we received the user's credentials from Active Directory, and used those credentials to retrieve the user's email address, manager, and any groups to which they belong.
An output can then serve as input for a subsequent task. For example, the user's manager who was returned as an output in the image above, can be used as an input to retrieve information from Active Directory.
Notice that the input for this task is Account.Manager, which is the output we highlighted in the playbooks inputs, above.
For information on giving sub-playbooks access to main playbook data, see Incident Context Data.