Runbook Nodes

Runbook nodesClosed Individual components that make up a runbook automation, each performing a specific function such as data queries, transformations, logic, integrations, or visualizations. are the building blocks of runbooks. Each node performs a specific role in the runbookClosed An automated workflow that executes a series of steps or tasks in response to a triggered event, such as the detection of anomalous behavior generating an incident, a lifecycle event, or a manually executed runbook.. You assemble nodes in sequence in the Runbook Editor to define an automated investigation or workflow. When the runbook runs, the nodes execute in order, using data and context from the triggerClosed A set of one or more indicators that have been correlated based on certain relationships, such as time, metric type, application affected, location, or network device. and from earlier nodes. The result is output that helps you understand and act on incidents, on-demand queries, or external calls. For how to add and connect nodes, see Assembling runbook nodes.

The function of runbook nodes

Runbooks automate what would otherwise be manual steps. Nodes query data, apply logic, call external systems, and produce the visualizations and impacts that appear in the runbook result or on the Impact Dashboard. Choosing and ordering the right nodes is how you define what a runbook does. Each node has configurable properties that you set per node instance.

Node categories and types

Nodes are grouped into categories in the Runbook Editor palette. The main types you will use are:

  • Triggers: The entry point of the runbook. A trigger starts the runbook and supplies context (e.g. which incident, which entity, or what input was passed in). See Trigger and Runbook Node Categories for trigger types.

  • Data queries: Nodes that get data (e.g. from Data Ocean or the data store) and pass it to the next nodes. They share common properties such as filters, limits, and metric collection. See Data Query Properties.

  • Logic and functions: Nodes that branch, transform, or aggregate data so the runbook can make decisions or reshape data for downstream nodes.

  • Impacts: Nodes that mark resources as affected by an incident or set incident priority. The results feed the Impact Dashboard and incident details. See Impact Dashboard.

  • Visualizations: Nodes that display data as charts, tables, gauges, or text in the runbook output so you can see what the runbook found.

For the full list of categories and where each type of runbook can use them, see Runbook Node Categories. For which nodes work with which runbook types (Incident, Lifecycle, On-Demand, External, Subflow), see Runbook Node Compatibility Matrix.