Cloud-delivered Incident ResponderIncident Responder Documentation

A scripted task to call a third-party API service and gather data, executed manually or automatically using playbooks; for example, retrieve the reputation information for a given URL or search emails by sender.

You use action nodes in playbooks. It has an inbound port on the left and an outbound port on the right.

A node that indicates a boolean (if/else) decision. It has one inbound node on the left, an if/true node on the right, and else/false nodes on the top and bottom.

A node that filters out a subset of the input source based on conditions you specify when you configure the node. The filter node outputs the remaining subset and passes it on to the next node. It has one inbound node on the left and an outbound port on the right.

Data passed from one node to another; data from a Case Manager incident, entity, or artifact.

The fundamental building blocks of playbooks. Each represent an action, decision, filter, start, or end.

Compares operands and returns a logical value if the comparison is true. Operands may be numerical, string, logical, or object values. Strings are compared based on standard lexicographical ordering, using Unicode values.

Each action, decision, or filter node has at least one inbound port and one outbound port that connects it to another node. An inbound port receives data from another note. An outbound node sends data.

The only nodes that don't have one inbound and outbound port are the start and end nodes. The start node only has one outbound port. The end node has only one inbound port.

A third-party product or vendor you integrate with Incident Responder to run actions and playbooks; for example: Cisco Threat Grid and Palo Alto Networks Wildfire. You interact with multiple instances of a service from within Incident Responder. Information about a service, like how to connect to it and which actions are defined, is stored in the Incident Responder server.