Skip to main content

Orchestrate Next Gen

Use Dynamic Paths

You can use dynamic paths to retrieve values from a playbook node, event data, or current system time.

The following image depicts a playbook that retrieves indicators from CFTR, filters the indicators by type, and connects the indicators to an incident using the Connect the dots-IOC to Incident action. Connecting dots for indicators helps analysts draw contextual intelligence on complex threat campaigns, identify potential attacker trajectories, and establish hidden threat patterns by uncovering correlations between isolated threats and incidents.

The following inputs are passed to Connect the dots-IOC to Incident action node.

  • ${pb_input(data.inc_uuid)} retrieves the incident ID from an event data

  • open indicates the incident status

  • ${valueof(4.result.ioc_ip)} retrieves the value of ioc_ip from the execution result of node number 4

  • ${valueof(4.result.ioc_url)} retrieves the value of ioc_url from the execution result of node number 4

Note

Accessing the specific index of a string using dynamic paths is not supported, and will result in a parsing error.

Retrieve Data from App Node

You can retrieve the output data of an app node and pass the retrieved data as input to any node of a Playbook workflow. You can use the following format to retrieve data from an app node:

${valueof(<node_number>.result.<instance_slug_name>.data_key)} 

instance_slug_name is a unique identifier of an app instance generated from the name of an app instance and it does not contain spaces or uppercase characters.

The following is the dynamic path to retrieve the value of the key field tlp from the output of playbook node number 1.

${valueof(1.result.cftr_instance.data.tlp)} 

Note

You can replace instance_slug_name with __instance__ to use the default instance of an app. __instance__ can be used in nodes configured with at least one instance.

Retrieve Data from Memory Node

You can retrieve the data stored in a memory node and pass the retrieved data as input to any node of a playbook workflow. You can use the following format to retrieve data from a memory node:

  • ${valueof(country_code)} retrieves the value of variable country_code = IN from a memory node used in the playbook.

  • ${country_code} also retrieves the value of variable country_code = IN from a memory node used in the playbook.

Retrieve Data from Input Node

You can retrieve a user's manual input to an input node and pass the retrieved data as input to any node of a playbook workflow. You can use the following format to retrieve data from an input node.

${valueof(<nodenumber>.results.<field_identifier>)} 

Example:

${valueof(4.results.api_key)} can be used to retrieve the value of a field identifier api_key from node 4 (input node) of a playbook.

Retrieve Event Data

Playbooks can be initiated by triggers from external applications. The data received from these events is in JSON format and can be used as input data in the start node or other nodes of the playbook.

Below are dynamic path examples to use event data in playbooks.

  • ${pb_input(data)} retrieves the complete data of a triggered event as input to the start node or any other playbook node.

  • ${pb_input(title)} retrieves the title of a triggered event.

  • ${pb_input(event_id)} retrieves the ID of the triggered event.

  • ${pb_input(created)} retrieves the created time of a triggered event.

  • ${pb_input(data.iocs)} retrieves the value of iocs key from the event data.

  • ${pb_input(data.cftr_incident_id)} retrieves the value of cftr_incident_data key from the event data.

Retrieve System Time

You can pass the current system time as an input to a playbook node. You can use the following format to specify input as datetime:

  • ${datetime(now} retrieves the current system time in ISO format.

  • ${datetime(epoch)} retrieves the current system time in epoch format.

Retrieve Run Log ID of a Playbook

You can retrieve a run log ID of a playbook by using the following dynamic path:

${playbook_metadata(playbook_run_readable_id)} retrieves the run log ID of a playbook. For example, RLec1592ac-7

Fetch Node Status

You can retrieve the result, status, and error details of a node using the dynamic path. 

Fetch Node Status 

You can use the following dynamic path to retrieve the run status of a playbook node:

${1.status} displays the run status of node number 1. For example, Success.

Fetch Node Error Details 

You can use the following dynamic path to retrieve the error details of a playbook node:

${1.error} displays the error message of node number 1. For example, Unable to execute action.

Fetch Node Results 

You can use the following dynamic path to retrieve the results of a playbook node execution.

${1.results} displays the execution results of node number 1.