Playbooks and tasks have inputs, which are data pieces that are present in the playbook or task. The inputs are often manipulated or enriched and they produce outputs. The inputs might come from the incident itself, such as the role to whom to assign the incident, or an input can be provided by an integration. For example, when an Active Directory integration is used in a task to extract a user's credentials.

In the image above, we see a playbook that is triggered based on context data, meaning an incident. The first two inputs are the

SrcIP

, which comes from the

incident.src

key, and

DstIP

, which is retrieved from

incident.dst

.

In addition, the playbook itself creates output object whose entries serve the tasks throughout the playbook.

For example, we create a list of endpoint IP addresses which can later be enriched by an IP enrichment task, or a list of endpoint MAC addresses, which can be used to possibly get information about the hosts that were affected by the incident.

Outputs can also be data that was extracted or derived from the inputs. For example, in the following image we received the user's credentials from Active Directory, and used those credentials to retrieve the user's email address, manager, and any groups to which they belong.

An output can then serve as input for a subsequent task. For example, the user's manager who was returned as an output in the image above, can be used as an input to retrieve information from Active Directory.

Notice that the input for this task is Account.Manager, which is the output we highlighted in the playbooks inputs, above.