Playbook Inputs and Outputs - Playbook Design Guide - 6.x - Cortex XSOAR - Cortex - Security Operations

Cortex XSOAR Playbook Design Guide

Product
Cortex XSOAR
Version
6.x
Creation date
2023-01-19
Last date published
2023-12-19
Category
Playbook Design Guide

Playbooks and tasks have inputs, which are data pieces that are present in the playbook or task. The inputs are often manipulated or enriched and they produce outputs. The inputs might come from the incident itself, such as the role to whom to assign the incident, or an input can be provided by an integration. For example, when an Active Directory integration is used in a task to extract a user's credentials.

You can add playbook inputs from context data and from indicators. Some playbooks such as Threat Intel Management playbooks use indicators as the playbook input.Threat Intelligence Management Playbooks

The example below uses incident context data as the playbook input.

playbook-inputs.png

In the image above, we see a playbook that is triggered based on context data, meaning an incident. The first two inputs are the SrcIP, which comes from the incident.src key, and DstIP, which is retrieved from incident.dst.

In addition, the playbook itself creates an output object whose entries serve the tasks throughout the playbook.

playbook-inpt-output.png

For example, we create a list of endpoint IP addresses which can later be enriched by an IP enrichment task, or a list of endpoint MAC addresses, which can be used to possibly get information about the hosts that were affected by the incident.

Outputs can also be data that was extracted or derived from the inputs. For example, in the following image we received the user's credentials from Active Directory, and used those credentials to retrieve the user's email address, manager, and any groups to which they belong.

playbook-edit-task.png

An output can then serve as input for a subsequent task. For example, the user's manager who was returned as an output in the image above, can be used as an input to retrieve information from Active Directory.

playbook-edit-task-man.png

Notice that the input for this task is Account.Manager, which is the output we highlighted in the playbooks inputs, above.

For information on giving sub-playbooks access to main playbook data, see Incident Context Data.Incident Context Data