Execution Tracking - Begin activity The Execution Tracking - Begin workflow activity starts the auditing process for a Security Operations Integration workflow that operates on observables. The Execution Tracking - Begin activity can be used with any workflow to begin recording the progress of the workflow in an audit. Results Possible results for this activity are: Table 1. Results Result Description Success An audit record is created. Input variables Input variables determine the initial behavior of the activity. Variable Description capabilityId System identifier of the Integration Capability being executed. isImpl Flag that specifies whether auditing is done for an Integration Capability workflow or an Integration Capability implementation workflow. Possible values are: false - denotes auditing on an abstract Integration Capability workflow such as Sightings Search. (default.) true - denotes auditing on an Integration Capability implementation workflow. For example, Splunk or Elasticsearch. taskId System identifier for any task associated with the workflow. observableList One or more observable SysIDs to perform the desired action. Used as a workflow input. workflowContextId System identifier of the associated workflow context record. Supplied by the system. workflowName Name of the workflow. Supplied by the system. parentCapabilityExcutionId System identifier of the audit record that launched the implementation workflow. Only required for Integration Capability implementation workflows such as Splunk, Elasticsearch, and VirusTotal. Output variables The output variables contain data that can be used in subsequent activities. Table 2. Output variables Variable Description capabilityExecutionId System identifier of the audit record. Related ReferenceCapability Execution Tracking - Complete activityCapability Execution Tracking - Failure activityObservable Enrichment Lookup activityCreate Enrichment Data for Record activityFilter Whitelisted Observables activityGet Supported Security Capabilities activityCapability Execution Tracking - No Impls activity
Execution Tracking - Begin activity The Execution Tracking - Begin workflow activity starts the auditing process for a Security Operations Integration workflow that operates on observables. The Execution Tracking - Begin activity can be used with any workflow to begin recording the progress of the workflow in an audit. Results Possible results for this activity are: Table 1. Results Result Description Success An audit record is created. Input variables Input variables determine the initial behavior of the activity. Variable Description capabilityId System identifier of the Integration Capability being executed. isImpl Flag that specifies whether auditing is done for an Integration Capability workflow or an Integration Capability implementation workflow. Possible values are: false - denotes auditing on an abstract Integration Capability workflow such as Sightings Search. (default.) true - denotes auditing on an Integration Capability implementation workflow. For example, Splunk or Elasticsearch. taskId System identifier for any task associated with the workflow. observableList One or more observable SysIDs to perform the desired action. Used as a workflow input. workflowContextId System identifier of the associated workflow context record. Supplied by the system. workflowName Name of the workflow. Supplied by the system. parentCapabilityExcutionId System identifier of the audit record that launched the implementation workflow. Only required for Integration Capability implementation workflows such as Splunk, Elasticsearch, and VirusTotal. Output variables The output variables contain data that can be used in subsequent activities. Table 2. Output variables Variable Description capabilityExecutionId System identifier of the audit record. Related ReferenceCapability Execution Tracking - Complete activityCapability Execution Tracking - Failure activityObservable Enrichment Lookup activityCreate Enrichment Data for Record activityFilter Whitelisted Observables activityGet Supported Security Capabilities activityCapability Execution Tracking - No Impls activity
