Execution Tracking - Begin (Observables) activity

The Execution Tracking - Begin (Observables) workflow activity starts the auditing process for a Security Operations Integration workflow that operates on observables.

The Execution Tracking - Begin (Observables) activity can be used with any observables workflow to begin recording the progress of the workflow in an audit.

Results

Possible results for this activity are:

Table 1. Results
Result Description
Success An audit record is created.

Input variables

Input variables determine the initial behavior of the activity.

Variable Description
capabilityId System identifier of the Integration Capability being executed.
isImpl Flag that specifies whether auditing is done for an Integration Capability workflow or an Integration Capability implementation workflow. Possible values are:
  • false - denotes auditing on an abstract Integration Capability workflow such as Sightings Search. (default.)
  • true - denotes auditing on an Integration Capability implementation workflow. For example, Splunk or Elasticsearch.
taskId System identifier for any task associated with the workflow.
observableList One or more observables to perform the desired action against in the following format:
[{"value": "someObsValue","type": "sysIdOfTheObsType"},{"value": "someObsValue","type": "sysIdOfTheObsType"}]

Used as a workflow input.

workflowContextId System identifier of the associated workflow context record. Supplied by the system.
workflowName Name of the workflow. Supplied by the system.
parentCapabilityExcutionId System identifier of the audit record that launched the implementation workflow. Only required for Integration Capability implementation workflows such as Splunk, Elasticsearch.

Output variables

The output variables contain data that can be used in subsequent activities.

Table 2. Output variables
Variable Description
capabilityExecutionId System identifier of the audit record.