Action Nodes
An action node represents a task to be performed as part of a workflow. It can be defined as an action provided by a third-party app or a custom app (app action node), a custom-built action created by the user (custom action node), or a sub-playbook that can be executed as part of the larger playbook (playbook action node).
You can add and configure the following action nodes:
App Action Node
An app action node represents an action provided by a third-party app or a custom app. An app action node contains a list of applications and their respective actions. For example, an app action node could represent a task in a security tool, such as creating a ticket in a ticketing system.
Sample Process
Steps
To configure an app action node, follow these steps:
From the Nodes list, drag and drop the App Action node to the canvas.
You can view the frequently used actions or you can search for apps or actions using the search bar. Select the required app, app version, and action to add to the playbook. Click Add.
To add other nodes from a specific node, select the node and click
. You can drag and drop any node type to connect from the selected node.Note
App versions that have not undergone thorough testing and are directly launched on the production app store are identified as Beta versions. To indicate the Beta version of apps, the App Store will display the Beta label alongside the app version number on the app details page. If the latest released version of an app is a Beta version, then the My Apps and Appstore listing page will also display the Beta tag for the app. Once applied, the Beta tag remains unchanged and is not removed for an app version.
In the Node Details tab, configure the following node details:
In Basic Details, enter the following details:
Node Title: Enter a title for the node.
Description: Add a brief description of the node. It is recommended to add a relevant description for the node, as analysts can use this for their reference.
Abort playbook if this node fails: Select this option to terminate the playbook if the node fails to execute.
Run Asynchronously: Enable this option to run a node independent of the playbook. Run Asynchronously is available for a playbook action node (sub-playbook) and a Cyware agent-enabled app action node. You cannot utilize the output of a playbook node that will run asynchronously as an input to another node of the Playbook workflow.
In Apps & Actions, you can do the following:
Change: Click Change to change the action of the app. Select an action from the dropdown and click Done.
App Instances: Select one or more App Instances to interact with an application. If an app instance is not available for an app, you can also create a new instance from the Playbook canvas by clicking New Instance. For more information, see Add Instances. You can add multiple instances to an app node to retrieve data from multiple instances without configuring a dedicated node for each instance. Select an app instance that can be used to perform the action.
Note
While adding multiple app instances to a node, you cannot add instances that are agent-compatible and non-agent-compatible simultaneously.
To test instance connectivity, click the Test Connectivity icon. For more information, see Test Playbook Instances.
Help & Documentation(Optional): To view details of the app, click Help & Documentation. The app documentation opens in a new tab.
Retry Count: Configure the number of times an action should be automatically re-executed on failure. Analysts can configure the action retry count when temporary node failures are expected, and a retry is likely to succeed, allowing the overall flow to continue and avoid manual intervention. You can configure the action retry count in the range of 1 to 15.
Retry Interval: Configure the interval in seconds after which a node can attempt to re-execute a failed action.
In Input Data, pass the optional or required input values to the app node. You can pass static or dynamic values to an app node. Enter the Key and Value to pass to the node. To add more parameters, click Add Parameter.
If the input required to execute a node is dependent on the output parameters of another node, you must define the input data using dynamic path expressions. For more information, see Playbook Input and Output.
You can also choose to configure the following optional parameters:
Iterate over each item: Enable this option to iterate the node execution over a list of input values. For example, this option executes the node for each entry in ${list(john.doe@example.com, joe.doe@example.com, mark@example.com)}.
Generate Dynamic Path: Generate a dynamic path using response parameters from other nodes. Click {} (curly braces) in the input field and select relevant options for the following fields:
Nodes: Select a node, such as App Action, Playbook, Input, and Memory, to generate the dynamic path.
Note
If the action node is selected, the default instance is used to generate the dynamic path.
Node: Select a node using the dropdown to generate a dynamic path.
Response Keys: Select the response key to retrieve values from the selected node.
Note
If you have selected an app action node and configured a custom output for it, you’ll be able to choose from the defined keys.
Preview: View the generated dynamic path before adding it. The dynamic path is generated based on the options you have selected for Node, Response Key, and more.
To add the dynamic path in the Input Data, click Add. The values for the dynamic path will be retrieved automatically during the playbook execution.
To add more parameters, click Add Parameter.
In Output Data, you can configure the following optional settings:
Save node output data: Select this option to save the entire node output in run logs.
Save customized output data: You can choose to save the customized node result.
Click Save.
Custom Action Node
A custom action node is a custom-built action created by developers to perform a specific task that is not covered by the app action nodes. Custom action nodes can be developed in the Python code editor and executed through the Playbook canvas.
For example, you can create a custom action node to filter a list of indicators based on specific criteria.
Steps
To configure a custom action node, follow these steps:
From the Nodes list, drag and drop the Custom Action node to the canvas. To add other nodes from a specific node, select the node and click
. You can drag and drop any node type to connect from the selected node.In the Node Details tab, configure the following node details:
In Basic Details, enter the following details:
Node Title: Enter a title for the custom node.
Description: Add a brief description of the node. It is recommended to add a relevant description for the node, as analysts can use this for their reference.
Abort playbook if this node fails: Select this option to terminate the playbook if the node fails to execute.
In Input Data, pass the optional or required input values to the node. You can pass static or dynamic values to the node. The input required to execute a node is dependent on the output parameters of another node. You must define the input data using dynamic path expressions. For more information, see Playbook Input and Output.
Generate Dynamic Path: Generate a dynamic path using response parameters from other nodes. Click {} (curly braces) in the input field and select relevant options for the following fields.
Nodes: Select a node, such as App Action, Playbook, Input, and Memory, to generate the dynamic path.
Note
If the action node is selected, the default instance is used to generate the dynamic path.
Node: Select a node using the dropdown to generate a dynamic path.
Response Keys: Select the response key to retrieve values from the selected node.
Note
If you have selected an app action node and configured a custom output for it, you’ll be able to choose from the defined keys.
Preview: View the dynamic path generated based on the options selected for Node, Response Key, and other fields before adding it as Input Data.
To add the dynamic path in the Input Data, click Add. The values for the dynamic path will be retrieved automatically during the playbook execution.
To add more parameters, click Add Parameter.
In Custom Code, write the custom code (Python) or insert a code snippet from the Resource Library. For more information, see Code Snippets.
To insert a code snippet, click Code Snippet and select a snippet from the list. You can modify the code snippet and click Insert Snippet. Inserting the snippet code will replace any existing information. Click Copy to copy the code.
You can modify the code snippet and click Save as Snippet. Modifying the code will break the reference to the existing code snippet. You can save the changes as a new code snippet.
The script internally uses the following parameters:
Import Statements: Imports the internal Python modules defined in Python Module Index and the external Python modules such as xmltodict==0.12.0, feedparser==6.0.4, and json2html==1.3.0.
def script_function: This is a built-in function that cannot be modified.
(**parameters): Define input parameters inside the container (), as per the requirement.
Write your custom code here: Write the custom Python code here, as per your requirement.
Return: Define the return values, as per your requirement.
Click Save.
Manage Code Snippets
You can perform the following actions to manage code snippets inside a condition node:
Copy: To copy the code snippet and use it, click More and select Copy.
Save as Code Snippet: When you modify an existing code, the snippet code can be saved as a new code snippet. To save a modified snippet as a new snippet, click More and select Save as Code Snippet. Enter a name for the snippet and description, and click Save.
Clear All: To clear the existing code, click More and select Clear All.
Playbook Action Node
A playbook action node is a sub-playbook that can be executed as part of the larger playbook. This allows you to reuse existing playbooks, keeping your playbooks modular and organized.
Note
It is not recommended to create a playbook in which the master playbook and a sub-playbook run in a cycle.
For example, you can add a sub-playbook node to enrich an indicator and pass the indicator details to the master Playbook.
Sample Process
Steps
To configure a playbook action node, follow these steps:
From the Nodes list, drag and drop the Playbook node to the canvas.
Search for the playbook or select from the playbook list and click Add. You can also view the frequently used playbooks. You can select only active playbooks from the list.
You can drag and drop any node type to connect from the selected node. To add other nodes from a specific node, select the node and click
. You can drag and drop any node type to connect to the existing node.In the Node Details tab, configure the following node details:
In Basic Details, enter the following details:
Node Title: Enter a title for the node.
Description: Add a brief description of the node. It is recommended to add a relevant description for the node as analysts can use this for their reference, and click Save.
Abort playbook if this node fails: Select this option to terminate the Playbook if the node fails to execute.
Run Asynchronously: Enable this option to run a node independently of the playbook. Run Asynchronously is available for a playbook action node (sub-playbook) and a Cyware agent-enabled app action node. You cannot utilize the output of a playbook node that will run asynchronously as an input to another node of the Playbook workflow.
In Sub-Playbook, click Change to add a different playbook.
In Input Data, pass the optional or required input values to the app node. You can pass static or dynamic values to an app node. Enter the Key and Value to pass to the node. To add more parameters, click Add Parameter.
If the input required to execute a node is dependent on the output parameters of another node, you must define the input data using dynamic path expressions. For more information, see Playbook Input and Output.
You can also choose to configure the following optional parameters:
Iterate over each item: Enable this option to iterate the node execution over a list of input values. For example, this option executes the node for each entry in $LIST[john.doe@example.com, joe.doe@example.com, mark@example.com].
Generate Dynamic Path: Generate a dynamic path using response parameters from other nodes. Click {} (curly braces) in the input field and select relevant options for the following fields:
Nodes: Select a node, such as App Action, Playbook, Input, and Memory, to generate the dynamic path.
Note
If the action node is selected, the default instance is used to generate the dynamic path.
Node: Select a node using the dropdown to generate a dynamic path.
Response Keys: Select the response key to retrieve values from the selected node.
Note
If you have selected an app action node and configured a custom output for it, you’ll be able to choose from the defined keys.
Preview: View the generated dynamic path before adding it. The dynamic path is generated based on the options you have selected for Node, Response Key, and more.
Click Add to add the dynamic path to the field. The values will be retrieved automatically during the playbook execution.
To add more parameters, click Add Parameter.
Click Save.
AI Action Node
An AI action node enables you to add AI-powered app actions to your playbook. This enables you to define prompts directly within the playbook workflow and utilize AI to perform tasks such as summarization, translation, and recommendations, among others. For example, you can use the AI action node to summarize RSS feed content daily and email key updates to analysts.
Before you Start
Ensure you have installed and configured the AI provider Apps.
Note
Ensure these app versions or above are installed to use the AI action node:
OpenAI version 1.3.0
Mistral AI Version 1.1.0
Meta Llama AI Version 1.1.0
Gemini version 1.1.0
Anthropic Claude version 1.1.0
Steps
To configure an AI action node, follow these steps:
From the Nodes list, drag and drop the AI Action node to the canvas.
Select an AI provider and, in Actions, select the action to add to the playbook. Click Add.
In the Node Details tab, configure the following node details:
In Basic Details, enter the following details:
Node Title: Enter a title for the node.
Description: Enter a brief description of the node. It is recommended to add a relevant description for the node, as analysts can use this for their reference.
Abort playbook if this node fails: Select this option to terminate the playbook if the node fails to execute.
Run Asynchronously: Enable this option to run a node independent of the playbook. Run Asynchronously is available for a playbook action node (sub-playbook) and a Cyware agent-enabled app action node. You cannot utilize the output of a playbook node that will run asynchronously as an input to another node of the Playbook workflow.
In Apps & Actions, you can do the following:
Change: Click Change to update the AI action. Select a new action from the dropdown and click Done.
Help & Documentation(Optional): To view details of the app, click Help & Documentation. The app documentation opens in a new tab.
App Instances: Select one or more app instances to interact with an application. If an app instance is not available for an app, you can also create a new instance from the playbook canvas by clicking New Instance. For more information, see Add Instances. You can add multiple app instances to a single node to fetch data from different instances without creating separate nodes. During action execution, select the app instance to use.
Note
While adding multiple app instances to a node, you cannot add instances that are agent-compatible and non-agent-compatible simultaneously.
Test Instance Connectivity
Retry Count: Configure the number of times an action should be automatically re-executed on failure. Analysts can configure the action retry count when temporary node failures are expected, and a retry is likely to succeed, allowing the overall flow to continue and avoid manual intervention. You can configure the action retry count in the range of 1 to 15.
Retry Interval: Set the interval in seconds after which a node can attempt to re-execute a failed action. You can enter a value between 1 and 50 seconds.
In Input Data, enter the following details:
Model Name: Enter the model name to use for generating the response. For example, gpt-4.5-preview.
Prompt: Enter a text prompt that will be sent to the selected AI action to respond. If the input required to execute a node is dependent on the output parameters of another node, you must define the input data using dynamic path expressions. For more information, see Playbook Input and Output.
Iterate over each item: Enable this option to iterate the node execution over a list of input values.
In Output Data, you can configure the following optional settings:
Save node output data: Select this option to save the entire node output in run logs.
Save customized output data: Select this option to save the customized node result.