Cortex XSOAR playbooks and tasks have inputs (data from
incident or integration) and outputs that can then be used as input
in other tasks.
Playbooks and tasks have inputs, which
are data pieces that are present in the playbook or task. The inputs
are often manipulated or enriched and they produce outputs. The
inputs might come from the incident itself, such as the role to
whom to assign the incident, or an input can be provided by an integration. For
example, when an Active Directory integration is used in a task
to extract a user's credentials.
The example below uses incident context data as the playbook input. Threat Intel Management playbooks use
indicators as the playbook input.
In the image above, we see a playbook that is triggered based
on context data, meaning an incident. The first two inputs are the
SrcIP
,
which comes from the
incident.src
key, and
DstIP
,
which is retrieved from
incident.dst
.
In addition, the playbook itself creates output object whose
entries serve the tasks throughout the playbook.
For example, we create a list of endpoint IP addresses which
can later be enriched by an IP enrichment task, or a list of endpoint
MAC addresses, which can be used to possibly get information about
the hosts that were affected by the incident.
Outputs can also be data that was extracted or derived from the
inputs. For example, in the following image we received the user's
credentials from Active Directory, and used those credentials to
retrieve the user's email address, manager, and any groups to which
they belong.
An output can then serve as input for a subsequent task. For
example, the user's manager who was returned as an output in the
image above, can be used as an input to retrieve information from
Active Directory.
Notice that the input for this task is Account.Manager, which
is the output we highlighted in the playbooks inputs, above.