In the Advanced Mode playbook designer, the output is the last step. It's where the results of all the other steps come together to yield a single critical event ranking. Any time you want a given step to feed into the output, click the Output toggle to link it to the output step. When you start a playbook, there is no output step - it appears when you first click the toggle.
You can set multiple steps as output. They all go to the single output step.
The following image shows our example playbook, modified to include an additional scorer step. The Output toggle was enabled for both steps, so both feed into the output step.
Important Note: The events in the output step are sorted in descending order of
lhub_score. This is such that those events that correspond to high risk -- higher
lhub_score, would surface as the first rows when you view the data from the output step. This also means that the data as shown in the output step may have different ordering from the parent steps.
Updated 10 months ago