Use Dynamic Paths
You can use dynamic paths to retrieve values from a Playbook node, event data, or current system time.
The following image depicts a playbook that retrieves indicators from CFTR, filters the indicators by type, and connects the indicators to an incident using the Connect the dots-IOC to Incident action. Connecting dots for indicators helps analysts to draw contextual intelligence on complex threat campaigns, identify potential attacker trajectories, and establish hidden threat patterns by uncovering correlations between isolated threats and incidents.
The following inputs are passed to Connect the dots-IOC to Incident action node.
${event::data::inc_uuid} : retrieves the incident ID from an event data
open : indicates the incident status
${_4::result::ioc_ip} : retrieves the value of ioc_ip from the execution result of node 4
${_4::result::ioc_url} : retrieves the value of ioc_url from the execution result of node 4
Fetch Data from App Node
You can retrieve the output data of an app node and pass the retrieved data as input to any node of a Playbook workflow.
You can use the following dynamic path to retrieve data from an app node:
${_node_number::result::<Instance_ID>::data_key}
Instance_ID
is a unique identifier of an app instance generated from the title of an app instance and it does not contain spaces or uppercase characters.You can use the following dynamic path to retrieve the value of the key field tlp from the output of Playbook node #1.
${_1::result::cftr_instance::data::tlp}
The following image demonstrates the output of Playbook node #1
You can replace the app instance slug name in the dynamic path and use
__instance__
to use the available app instance. The following dynamic path shows an example.${_1::result::_instance_::data::tlp}
Note
__instance__
can be used in nodes configured with only one instance. The above dynamic path is applicable if there is only one instance for an app.
Fetch Data from Memory Node
You can retrieve the stored data of a memory node and pass the retrieved data as input to any node of a Playbook workflow.
You can use the following format to retrieve data from a memory node:
${constant::variable key}
For Example: ${const::country_code}
can be used to fetch the variable country_code = IN from a memory node.
Fetch Data from Input Node
You can retrieve a user's manual input to an input node and pass the retrieved data as input to any node of a Playbook workflow.
You can use the following dynamic path to retrieve data from an input node.
${_nodenumber::io::field_identifier}
For example, ${_4::io::api_key}
can be used to retrieve the value of a field identifier api_key from node 4 (input node) of a Playbook.
Fetch Event Data
Playbooks can be initiated by triggers from external applications. The data received from these events is in JSON format and can be used as input data in the start node or other nodes of the playbook.
Below are dynamic path examples to use event data in playbooks.
${event::data}
- This path retrieves the complete data of a triggered event as input to the start node or any other playbook node.${event::title}
- This path retrieves the title of a triggered event.${event::event_id}
- This path retrieves the ID of a triggered event.${event::created}
- This path retrieves the created time of a triggered event.${event::data::iocs}
- This path retrieves the value of iocs key from the event data.${event::data::cftr_incident_id}
- This path retrieves the value of cftr_incident_data key from the event data.
The below screenshot shows an example where the complete event data is used as input to node number 2.
The below screenshot shows an example where specific data from iocs key is used as input to node number 1.
Fetch System Time
You can pass the current system time as an input to a Playbook node.
You can use the following format to specify input as datetime:
${utils::datetime::now}
- This path retrieves the current system time in ISO format.${utils::time::time}
- This path retrieves the current system time in epoch format.
Fetch Run Log ID of a Playbook
You can retrieve a run log ID of a playbook by using the following dynamic path:
${playbook::playbook_run_readable_id}
The output retrieves the run log ID of a playbook. For example, RLec1592ac-7.
Fetch Playbook Metadata
You can retrieve playbook metadata details using the following dynamic path expressions.
${playbook::playbook_unique_id}
- This path retrieves the unique (UUID) of a playbook. The output retrieves the unique ID of a playbook. For example, f12121241-8f0f-234b-8382-9ee4aaaaa9a.${playbook::playbook_readable_id}
- This path retrieves the readable ID of a playbook. The output retrieves the unique readable ID of a playbook. For example, PLB128.${playbook::playbook_title}
- This path retrieves the title of a playbook. The output retrieves the title of the playbook. For example, Phishing Email Analysis Playbook.${playbook::playbook_run_unique_id}
- This path retrieves the unique ID (UUID) of a playbook run log. The output retrieves the unique ID of a playbook run log. For example, 9a222a6a-334e-678d-789d-abc8d8ef88gh.
Fetch Node Status
You can retrieve the status of a node and the error details using dynamic paths.
Fetch Node Status
You can use the following format to retrieve the run status of a playbook node:
${_node_number::status}
For example, ${_1::status}
.
The output displays the run status of a node. For example, Success.
Fetch Error Details
You can use the following format to retrieve the error details of a playbook node:
${_node_number::error}
For example, ${_1::error}
.
The output displays the error message of a failed node. For example, Unable to execute action.
Fetch playbook last run time in Epoch format
You can use the following dynamic path to retrieve the last run time in Epoch time format.
${playbook::last_run}
Fetch last successful run time of playbook in Epoch format
You can use the following dynamic path to retrieve the last successful run time of the playbook in Epoch time format.
${playbook::last_success_run}