☰

🌙☀

Subscribe to the Taegis™ XDR Documentation RSS Feed at .

Learn more about RSS readers or RSS browser extensions.

Taegis Docs Home
About XDR
Get Started
- Get Started with XDR
- Top 5 Tasks
Integrate with XDR
- Integration Overview
- Data Source Integration Definitions
- All Available Integrations
- Add Data Collectors
- Add Endpoint Agents
- Forward Data to XDR
- Create Custom Parsers
  - Overview
  - Syntax
  - Repeating Fields
  - Overriding and Extending Global Parsers
  - Supported Schemas
  - All Schemas
    - Antivirus
    - Auth
    - CloudAudit
    - DHCP
    - DNS
    - Email
    - Encrypt
    - FileMod
    - HTTP
    - Management Event
    - Netflow
    - NIDS
    - Process
    - Registry
    - Thirdparty
    - Types
Manage Integrations
Alerts, Events, and Investigations
- Alerts
- Events
- Investigations
- CyberChef
Dashboards
Search and Reports
- Search
- Reports
Automation
- Automation Overview
- Supported Playbooks
- Supported Connectors
- Playbooks
- Connectors
- Automation Authoring
  - Building Connector Definitions
  - Building Playbook Templates
  - Common Expression Language (CEL)
Threat Intelligence, Hunting, and Detection
- Threat Intelligence
- Threat Hunting
  - Hunting with Jupyter Notebooks
- Detectors
- Adversary Software Coverage
  - Adversary Software Coverage
  - Frequently Asked Questions
XDR Admin
- Your Account
- Tenant Settings
APIs, SDK, and Magic
- Using XDR GraphQL APIs
- API Authentication
- XDR Python SDK
- Taegis Magic Jupyter Integration
  - Overview
- Alerts API
  - Using the Alerts API
  - Alerts GraphQL API
- Assets API
- Audits API
  - Using the Audits API
  - Audits GraphQL API
- Automations APIs
- Bring Your Own Threat Intelligence API
  - Using the BYOTI API
  - BYOTI GraphQL API
- Collector APIs
- Investigations API
  - Using the Investigations API
  - Investigations GraphQL API
- Threat Intelligence API
  - Using the Threat Intelligence API
  - Threat Intelligence GraphQL API
- Using the Users GraphQL API
- Using the Tenants GraphQL API
- Using the Countermeasures API
- Using the File Upload API
Secureworks Products, Services, and Policies
- Managed iSensor
- ManagedXDR
- ManagedXDR Elite
  - Service Description
  - Onboarding Guide
- ManagedXDR for OT
- ManagedXDR Enhanced
  - Service Description
  - Onboarding Guide
- ManagedXDR–Managed iSensor Add-on
- Secureworks Professional Services
- Legal

Working with Playbook Tasks

Templates are automated workflows that consist of an ordered list of tasks. This page documents the fields used to define the tasks. Examples can be found by exporting a template from the template library in Secureworks® Taegis™ XDR. Official reference documentation for the domain specific language (DSL) can be found here: DSL

name ⫘

Defines the name of the task. Task names must be unique within a given template. Task names should not contain spaces, and any special characters outside of underscore: _. The name must match the regex pattern: [a-z][a-zA-Z0-9_]*

Default Value— n/a

Data Type— string

description ⫘

This field is used to describe the task. This is not a documentation field, but a short one or two sentence description for the task.

Default/suggested value: one or two sentences that clearly identify the purpose of the task.

Data type— string

inputs ⫘

This field is used to define the input values for the task. When the task is a connector function, the inputs here should match/map to the inputs on the action. Inputs are evaluated/built AFTER the variables on the task is evaluated. This field is optional.

Default Value— should match the JSON schema for the connector action

Data Type— object/map

variables ⫘

Allows the template author to define variables for the task as key/value pairs. Variables are similar to inputs, but exist for flow control task types. The variables for each task can be used/referenced in subsequent steps in the playbook using task_name.variables.variable_name notation. Variables are evaluated and built after the condition on the task is evaluated. This field is optional.

Default Value— n/a

Data Type— object/map

condition ⫘

Allows the template author to define a condition which is evaluated before the task is executed. This field is optional.

Default Value— n/a

Data Type— string

Task Types ⫘

The domain-specific language (DSL) supports a handful of task types. Some tasks are defined by fields specific to that task type. The task types are defined below:

action ⫘

Allows the template author to call a connector function. In most cases, this task type defines inputs that align to the inputs defined on the connector function. Use a format of connector_name.function_name for the value.

Default Value— connector_name.function_name

Data Type— string

exec ⫘

Allows the template author to call another template. In most cases, the exec task type defines inputs which align/map to the inputs defined on the template. Use the full template name for the default value. Note any playbooks executed in an exec task must also be added to the required playbooks list on the template.

Default Value— template_name

Data Type— string

do while ⫘

Allows the template author to perform a number of tasks repeatedly until a condition is met. Not that the tasks inside the do while are executed before the condition is evaluated. The output of a do while task is the result of the last task executed. The iteration variable is created inside the do while and contains the current iteration of the loop.

Default Value— n/a

do Data Type— list/array of tasks

while Data Type— string

Iteration— integer

for range ⫘

Allows the template author to iterate over a list or map value and perform tasks on each iteration within the range. The output is the result of the last task executed. A number of special variables allow the template author to access data on each iteration:

index— an integer indicating the element in the list, or a string map key

value— the current value for this iteration of the list/map

iteration— a counter for each iteration

Default Value— n/a

Data Types ⫘

for-- list/array of tasks range— list/array or map index-- integer if range is a list/array or string if range is a map value— Any (depends on data type of elements in the range) iteration— integer

for condition ⫘

Allows the template author to perform a number of tasks repeatedly if a condition is met. Note in a for condition task, the tasks inside the for condition are executed after the condition is evaluated. Output of a for condition task is the result of the last task executed. The iteration variable is created inside the do while and contains the current iteration of the loop.

Default Value— n/a

Data Types ⫘

for— list/array of tasks condition— string iteration— integer

switch ⫘

Allows the template author to define criteria the execution path follows. Case values must be strings and multiple tasks can be defined in each case.

Default Value— n/a

Data Types ⫘

switch— string case— object/map, where the value for each key is a list/array of tasks

let ⫘

Allows the template author to define variables which can be used in subsequent steps in the template. The variables are name/value pairs.

Default Value— n/a

Data Type— object/map

call ⫘

Allows the template author to execute a function. In most cases, the call task type defines inputs which align to the inputs defined in the function. The value is the full function name. Note any playbooks that are executed in an exec task must also be added to the required interfaces list on the template.

Default Value-- activity_name

Data Type-- string

Working with Playbook Tasks

name ⫘

description ⫘

inputs ⫘

variables ⫘

condition ⫘

Task Types ⫘

action ⫘

exec ⫘

do while ⫘

for range ⫘

Data Types ⫘

for condition ⫘

Data Types ⫘

switch ⫘

Data Types ⫘

let ⫘

call ⫘

On this page: