When a playbook is executed, it gets all its input either from a container its executed against (e.g. Incident) or an analyst supplies the input manually when executing the playbook directly from the Playbooks list.
During the execution, all the artifacts (the input/dataset) are available for every action in the playbook. For execution, every action primarily fetches its required input from the initial input/dataset.
The Filter Element in playbooks is used when we want to pull/fetch the output of one action and utilize it as an input for another action (instead of the initial supplied dataset or artifacts)
The filter icon can be placed anywhere in the playbook, but right before the action that needs its input from another action.
When you place the filter icon, you can configure its fields to fetch specific pieces of information from any action in the playbook.
Filter Configuration:
When configuring a Filter:
Action
Specify which Action’s output you want to use as an input. You will only be able to select only those actions which are currently saved in the playbook.
Label
Give the field a label, a unique identifier that can be called in email notifications when required. Note: For a label to be called in an email notification, it needs to be encapsulated in curly brackets like this {sha256}.
Field
Identify the "Field" in the Playbook:
Specify which field’s output you want to use. This is the specific piece of information that you wish to utilize from the output of the chosen Action. This "field" is a part of the playbook's filtration process.
Copying the Path from the Action Element:
To populate the "field," you'll need to copy the path from the Action element in the playbook. Follow these steps:
Find the relevant Action element associated with the decision you're working with.
Within the Action element, look for the "filter" icon, which typically represents the data or value you want to use for the decision.
Click on the "filter" icon to access the available data paths.
Selecting the Path for Input:
Within the "filter" options, you can choose the data path that corresponds to the value you wish to use as input in the Filter element.
This path might lead to data from previous actions, user inputs, or external sources.
Applying the Path to the "Field" in the Filter Element:
Return to the filter element in your playbook.
Paste the copied path from the Action element into the designated "field" where you want to use it as input.
Save and Review:
Ensure that you save your changes in the playbook.
Review the playbook to confirm that the selected path is correctly integrated into the filtration process.
Transform
A set of prebuilt functions you can use to transform the output before supplying it to the next Action.
Multiconfiguration
This can be done for multiple fields and multiple actions. The filter is not limited to one Action. Click on the + icon to select more fields and inputs.
Example 1:
In this example, a playbook is going to check the reputation of an MD5 hash on Alienvault, if the Verdict is Malicious, the filter action is going to pull SHA256 of the MD5 hash from Alienvault's output and push it onto Cisco Firepower Management Centre (FMC) Firewall
The Filter action is pulling the output of MD5 from Alienvault
And then pushes the SHA256 output into Block Hash action on FMC.
As you can see the hash has been blocked on FMC.
The admin has received an email from SIRP, that the hash has been blocked along with the actual hash which was supplied in the body of the Email Notification action like this: {sha256}