How to set playbook component parameters - Security Center

SOAR playbook nodes accept four kinds of parameter values — constants, variables, expressions, and functions — and process them through a three-stage execution pipeline: extraction, deduplication, and action execution. This page explains each parameter type, the syntax for referencing upstream node outputs, data-type conversion rules, and how the pipeline works end to end.

Parameter categories

Parameters fall into two classification dimensions:

By role: playbook input parameters, playbook output parameters, component action input parameters, and component action output parameters.
By source: system parameters and component parameters.

System parameters are accessible from any node during execution. Component parameters are not.

Node input and output parameters

A node's input can be a fixed (constant) value or the output of an upstream node. To reference an upstream node's output, that node must appear before the current node on the same orchestration path.

Important

In multi-path playbooks, node names must be globally unique.

The following diagram illustrates the rule. Node B can access the outputs of Node A (a direct upstream) and the playbook's input parameters. It cannot access Node D (a different branch) or Node C (not a preceding node of Node B on any path).

System parameters

Playbook-level system parameters

Use ${event.parameter_name} to access these parameters from any node. event is the reserved name of the start node; do not name any component event during playbook orchestration.

Parameter	Data type	Expression	Description
`_tenant_id`	String	`${event._tenant_id}`	Alibaba Cloud account ID that calls the playbook
`_domain_id`	String	`${event._domain_id}`	Role status of the logged-on user: `0` = single-account, `1` = global account
`_trigger_user`	String	`${event._trigger_user}`	Alibaba Cloud account ID that triggers the playbook. If a RAM user triggers the playbook, the RAM user's ID is returned.
`_region_id`	String	`${event._region_id}`	Region ID
`_req_uuid`	String	`${event._req_uuid}`	Unique identifier for the current playbook execution
`parentTaskUuid`	String	`${event.parentTaskUuid}`	`_req_uuid` of the parent playbook. Present only when this playbook is called as a child playbook.
`parentTaskName`	String	`${event.parentTaskName}`	UUID of the parent playbook. Present only when this playbook is called as a child playbook.

Component action output parameters

Every node execution produces the following standard output fields. Custom output parameters from the component are stored inside datalist. Use ${node_name.datalist.*} to retrieve all output values.

Parameter	Data type	Description
`datalist`	JSONArray	Output parameters produced by the action. Custom component outputs are also stored here.
`total_data_successful`	Int	Number of data entries successfully processed
`total_data`	Int	Total number of data entries processed
`total_data_with_dup`	Int	The volume of data that is successfully processed and deduplicated during the action execution
`total_exe_successful`	Int	Number of times the action completed successfully
`total_exe`	Int	Total number of times the action ran
`status`	Boolean	Execution status: `true` (success) or `false` (failure)
`messageForUser`	String	Error message shown to the user if the action fails
`message`	String	Internal system error message if the action fails
`failed_exe_detail`	String	Detailed error information if the action fails

Parameter formats

Node input parameters support three basic formats — constants, variables, and expressions — and any combination of them.

Format	Description	Example
Constant	A fixed string value	`Ali`
Variable	Extracts a value from playbook input parameters or an upstream node's output	`${event.aliuid}`
Expression	Evaluates an embedded Java expression or built-in function. Format: `<%=expression%>`	`<%=26060%>`, `<%=currentTime()%>`
Combination	Mixes constants, variables, and expressions in a single string	`Ali_${event.aliuid}_<%=currentTime()%>_<%=26060%>` resolves to `Ali_<aliuid>_<timestamp>_7200`

Expressions can also embed variables. For example:

<%=formatTimeStamp(secondstamp_add(${DateTime:event.datalist.*.gmt_create},-600L),"yyyy-MM-dd'T'HH:mm:ss.SSSXXX")%>

This reads gmt_create from the start node output, subtracts 600 seconds, and formats the result as an ISO 8601 timestamp.

Built-in functions

All expressions use Java syntax. Functions are grouped by category below.

Time functions

Function	Description	Example	Output
`currentTime()`	Returns the current timestamp	`<%=currentTime()%>`	`2025-06-05 10:30:00`
`currentTimeToMs()`	Returns the current timestamp in milliseconds	`<%=currentTimeToMs()%>`	`1749091369688`
`currentHourToMs()`	Returns the millisecond timestamp for the start of the current hour	`<%=currentHourToMs()%>`	`1749088800000`
`currentDayToMs()`	Returns the millisecond timestamp for the start of the current day	`<%=currentDayToMs()%>`	`1749052800000`
`secondstamp_add(timestamp, seconds)`	Adds a number of seconds to a timestamp	`<%=secondstamp_add(currentTime(),300L)%>`	`2025-06-05 10:35:00`
`timestampToseconds(timestamp, seconds)`	Adds seconds to a timestamp, then converts to epoch seconds	`<%=timestampToseconds(currentTime(),300L)%>`	`1749099848`
`formatTimeStamp(timestamp, format)`	Formats a timestamp using a Java date pattern	`<%=formatTimeStamp(currentTime(),"yyyyMMdd")%>`	`20250605`
`parseTimeMs(timeStr, format)`	Parses a formatted time string and returns milliseconds	`<%=parseTimeMs("2025-06-05 10:30:32","yyyy-MM-ddHH:mm:ss")%>`	`1749090632000`
`parseTimeMsWDefault(timeStr, defaultMs)`	Parses a time string to milliseconds; returns `defaultMs` if the input is empty	`<%=parseTimeMsWDefault("2025-06-05 10:30:32",1749091369688L)%>`	`1749090632000`

String functions

Function	Description	Example	Output
`toLowerCase(str)`	Converts a string to lowercase	`<%=toLowerCase("TEST")%>`	`test`
`toUpperCase(str)`	Converts a string to uppercase	`<%=toUpperCase("test")%>`	`TEST`
`substring(str, start, end)`	Extracts a substring by start and end index	`<%=substring("012345",0,3)%>`	`012`
`remainStrStartEnd(str, beginSize, endSize)`	Keeps the first `beginSize` and last `endSize` characters, joined by `_____`	`<%=remainStrStartEnd("012345",2,2)%>`	`01_____45`
`replace(str, target, replacement)`	Replaces a substring	`<%=replace("abc123","abc","aaa")%>`	`aaa123`
`splitStr(str, delimiter)`	Splits a string into a list by a delimiter	`<%=splitStr("test,value",",")%>`	`[test,value]`
`splitStrToJsonArray(str, delimiter)`	Splits a string into a JSONArray by a delimiter	`<%=splitStrToJsonArray("test,value",",")%>`	`["test","value"]`
`concatListStr(delimiter, list)`	Concatenates list elements with a delimiter. Use with `splitStr`.	`<%=concatListStr("\|",splitStr("test,value",","))%>`	`test\|value`

Type conversion and utility functions

Function	Description	Example	Output
`toLong(value, default)`	Converts a value to Long; returns `default` if conversion fails	`<%=toLong("1234",12L)%>`	`1234.0`
`toJSONObject(jsonStr)`	Parses a JSON string into a JSONObject	`<%=toJSONObject("{\"name\":\"test\",\"age\":12}")%>`	`{"name":"test","age":12}`
`base64encode(str)`	Encodes a string using Base64	`<%=base64encode("abc")%>`	`YWJj`
`base64decode(str)`	Decodes a Base64 string	`<%=base64decode("YWJj")%>`	`abc`
`isNull(value)`	Returns `true` if the value is null or empty	`<%=isNull("")%>`	`true`

Variable parameters

Use the ${node_name.parameter_path} syntax to reference any preceding node's output. The path follows JSONPath conventions and supports JSON structures of any depth.

Important

Variables can only reference output parameters of a node, not its inputs.
Playbook input parameters equal the start node's output parameters.
The input parameters of the current node are the same as the output parameters of the previous node.
event is the reserved name for the start node. Do not name any component event.

Reference syntax

The examples below all use the following node1 output as the data source:

{
  "datalist": [
    { "person": { "weight": "120", "age": "12" } },
    { "person": { "weight": "121", "age": "13" } }
  ],
  "total_data_successful": 2,
  "total_data": 2,
  "total_exe_successful": 2,
  "total_exe": 2,
  "total_data_with_dup": 2,
  "status": true
}

Pattern	Syntax	Result
Get a system parameter from the start node	`${event._req_uuid}`	Unique ID of the current execution
Get a parent playbook's UUID	`${event.parentTaskUuid}`	Parent's `_req_uuid` (child playbooks only)
Get a scalar field from a node	`${node1.total_data_successful}`	`2`
Get a field from all items in `datalist`	`${node1.datalist.*.person.age}`	`{12,13}`
Get a field from the first item in `datalist`	`${node1.datalist.[0].person.age}`	`12`
Get all values in a nested array field	`${node_name.datalist..parameter1..parameter2}`	All `parameter2` values where `parameter1` is a JSONArray

For datalist-based paths, * means all items; [0] means the first item. The start node uses event instead of a node name: ${event.parameter1.parameter2}.

Tip: Instead of writing variable syntax manually, use the parameter drop-down selector in the input box to generate the correct path after you finish testing.

Data type conversion

During playbook execution, most data is handled as strings. When an action requires a specific type, use ${data_type:data} to convert.

Target type	Description	Supported source types
`Boolean`	Converts to `true` or `false`	Numeric: `1` → `true`, all other values → `false`. String: `"true"`, `"1"`, `"Y"`, `"T"` → `true`; `"false"`, `"0"`, `"N"`, `"F"` → `false`. Other strings cause an error.
`Long`	Converts to a Long integer	Numeric types; strings containing only digits and commas (e.g., `1,000,000`)
`Int`	Converts to an integer	Numeric types
`Double`	Converts to a double-precision float	Numeric types
`String`	Converts to a string	All types
`DateTime`	Converts to a date	Numeric types; strings that are numeric (e.g., `1696487400000`) or in ISO 8601 format (e.g., `2023-10-05 14:30:00`)
`JSONObject`	Extracts key-value pairs from a JSONObject into a new JSONObject. Output format: `{"fieldname":"fieldValue",...}`	JSONObject only
`JSONArray`	Extracts key-value pairs from a JSONObject into a JSONArray. Output format: `[{"fieldname":"fieldValue",...}]`	JSONObject only
`JSONObjectStr`	Converts a JSONObject to its string representation	JSONObject
`JSONArrayStr`	Converts a JSONArray to its string representation	JSONArray

Examples

The following examples use the same node1 output defined in the Reference syntax section.

Input (single JSONObject): {"src_ip":"127.0.0.1","dst_ip":"127.0.0.2","msg":"hello"}

Expression	Result
`${JSONObject:event}`	The entire event as a JSON string
`${JSONObject:event.src_ip}`	`{"src_ip":"127.0.0.1"}`
`${JSONObject:event.src_ip\|msg}`	`{"src_ip":"127.0.0.1","msg":"hello"}`
`${JSONArray:event}`	The entire event as a JSONArray
`${JSONArray:event.src_ip}`	`[{"src_ip":"127.22.22.1"}]`
`${JSONArray:event.src_ip\|msg}`	`[{"src_ip":"127.0.0.1","msg":"hello"}]`

Input (JSONArray in datalist): {"datalist":[{"src_ip":"127.0.0.1","dst_ip":"127.1.0.1","msg":"hello"},{"src_ip":"127.1.0.1","dst_ip":"127.1.0.1","msg":"hello"}]}

Expression	Result
`${JSONObject:event.datalist.*.src_ip}`	Expands to multiple rows; each row: `{"src_ip":"127.x.0.1"}`
`${JSONObject:event.datalist.*.src_ip\|msg}`	Expands to multiple rows; each row: `{"src_ip":"127.x.0.1","msg":"hello"}`
`${JSONArray:event.datalist.*.src_ip}`	`[{"src_ip":"127.0.0.1"},{"src_ip":"127.1.0.1"}]`
`${JSONArray:event.datalist.*.src_ip\|msg}`	`[{"src_ip":"127.0.0.1","msg":"hello"},{"src_ip":"127.1.0.1","msg":"hello"}]`

Parameter processing and node execution flow

Each node goes through three stages after all required upstream nodes finish executing.

Stage 1: Extract input parameters

The system resolves the node's input configuration against the actual outputs of upstream nodes and the playbook's input parameters to produce one or more sets of concrete input values.

Stage 2: Deduplicate and execute

If the resolved input produces multiple identical parameter sets, the system deduplicates them before execution. The action then runs once for each unique parameter set.

When an input expression resolves to multiple values (for example, ${node1.datalist.*.ip} matching five IP addresses), the action runs once per value automatically. No loop logic is needed in the playbook. Example: To run "Purge Malicious File" on all servers of a compromised application, set the Server IP parameter to ${node1.datalist.*.ip}. The system executes the action on each IP address without any additional configuration.

Stage 3: Aggregate and deduplicate output

Results from all action executions are merged into a single output. The system deduplicates entries where every field is identical.

Example:

Before deduplication	After deduplication
`[{"a":"11","b":"22"},{"a":"11","b":"22"},{"a":"11","b":"33"}]`	`[{"a":"11","b":"22"},{"a":"11","b":"33"}]`

Parameter extraction rules

Single data source

A JSON structure of any depth is treated as a tree. Extraction follows these rules:

Any depth: Data is extracted regardless of how deeply it is nested.
Sibling relationships are preserved: Fields at the same level in the JSON structure remain paired.
Ancestor nodes are expanded: When a parent node has multiple children, it expands to match the child count.
Non-sibling, non-ancestor nodes form a Cartesian product: When two fields have no sibling or ancestor relationship, every combination is produced.

Multiple data sources

When a node references parameters from multiple upstream nodes, the system applies a Cartesian product across the extraction results of each source.