Generates Confluence Data Center wiki-ready documentation from XSOAR 6.14 playbook definitions. Supports full deep-dive and executive summary detail levels. Includes mermaid.js flow visualization.
This skill supports two documentation modes. Determine the mode from the user's prompt:
| Mode | Trigger Keywords | Default |
|---|---|---|
| Full Deep-Dive | "document", "full documentation", "deep-dive", or unspecified | Yes |
| Executive Summary | "summarize", "executive summary", "overview", "high-level" | No |
If the user's intent is ambiguous (e.g., "look at this playbook"), ask which mode they want.
All output must be formatted for clean rendering in Confluence Data Center:
#, ##, ###) for section structure| col | col |) for all tabular data```mermaid fencing — requires a Confluence mermaid plugin or separate renderingGenerate a mermaid.js flowchart from the playbook's task graph. Follow this algorithm exactly:
graph TD
Use top-down layout. Start from the task referenced by starttaskid.
For each task in the tasks object, create a node using the task's key as the ID and task.task.name as the label. Use shapes to encode task type:
| Task Type | Mermaid Shape | Example |
|---|---|---|
start | Stadium | 0([Start]) |
regular / standard | Rectangle | 5[Enrich Indicator] |
condition | Diamond | 8{Check Severity} |
playbook (sub-playbook) | Double-bordered | 12[[Block Indicators]] |
title (section header) | Filled rectangle | 3[/Enrichment Phase/] |
Terminal (no nexttasks) | Rounded | 15(Close Investigation) |
For each task, iterate its nexttasks map:
#default# branch → plain arrow: 5 --> 68 -->|malicious| 9Tasks with continueonerror: true — add a comment or style annotation:
5[Enrich Indicator]:::errorTolerant
classDef errorTolerant stroke-dasharray: 5 5
Critical: Every task ID referenced in any nexttasks value must appear as a node definition. If a referenced ID is missing from the tasks object, render it as:
99[⚠ Missing Task 99]:::missing
classDef missing fill:#f96,stroke:#333
And flag this in the documentation as a structural issue.
For playbooks with more than 30 tasks, generate a grouped flowchart:
title-type taskssubgraphThis keeps the diagram readable without losing information.
subgraph Enrichment
5[Enrich IP] --> 6[Enrich Domain]
end
subgraph Response
10[Block IP] --> 11[Update Blocklist]
end
Enrichment --> Response
Use this template when generating Full Deep-Dive documentation:
# Playbook Documentation: <playbook name>
**Generated:** <date>
**Playbook Version:** <version from playbook JSON, or "Not specified">
**XSOAR Compatibility:** <fromversion>+
**Total Tasks:** <count of entries in tasks object>
## Table of Contents
- [Overview](#overview)
- [Flow Diagram](#flow-diagram)
- [Playbook Inputs](#playbook-inputs)
- [Playbook Outputs](#playbook-outputs)
- [Task Reference](#task-reference)
- [Sub-Playbooks](#sub-playbooks)
- [Integration Dependencies](#integration-dependencies)
- [Error Handling](#error-handling)
## Overview
<2-4 sentences describing the playbook's purpose, trigger conditions, and expected
outcome. Derive from the playbook description field. If the description is empty
or generic, infer purpose from the task flow and note that the description was inferred.>
## Flow Diagram
` ``mermaid
graph TD
<generated flowchart following the algorithm above>
` ``
**Note:** This diagram requires a Mermaid-compatible renderer. If your Confluence
instance does not have a Mermaid plugin, paste the diagram source into
mermaid.live to generate an image.
## Playbook Inputs
| Name | Description | Default Value | Required | Source |
|------|-------------|---------------|----------|--------|
| <for each entry in the inputs array> |
<If no inputs are defined, state: "This playbook accepts no inputs.">
## Playbook Outputs
| Name | Description | Type |
|------|-------------|------|
| <for each entry in the outputs array> |
<If no outputs are defined, state: "This playbook produces no outputs.">
## Task Reference
<Document each task in execution order (BFS traversal from starttaskid).
Organize by section when title-type tasks are present.>
### <section name, from title task — or "Main Flow" if no title tasks>
#### <task number>. <task name> (ID: <task key>)
| Property | Value |
|----------|-------|
| Type | <regular / condition / playbook / title / standard> |
| Command | <scriptName or script field, or "Manual" if not a command> |
| Integration | <brand field, or "Built-in" / "N/A"> |
| Continue on Error | <Yes / No> |
| Separate Context | <Yes / No — only for playbook-type tasks> |
**Purpose:** <task description field, or inferred purpose if empty — note when inferred>
**Arguments:**
| Argument | Value / Source |
|----------|---------------|
| <for each entry in scriptarguments — show the key and whether the value is literal, from context, or from an input> |
<Omit the arguments table if scriptarguments is empty or absent.>
**Next Tasks:**
- <branch label> → <target task name> (ID: <target id>)
---
## Sub-Playbooks
| Sub-Playbook Name | Called By Task | Separate Context | Inputs Passed |
|-------------------|---------------|------------------|---------------|
| <for each playbook-type task in the tasks object> |
<If no sub-playbooks are called, state: "This playbook does not call sub-playbooks.">
<If the sub-playbook JSON is available in investigation/playbooks/, note:
"Documentation available — run the documentation workflow on this sub-playbook for details.">
## Integration Dependencies
| Integration | Commands Used | Task(s) |
|-------------|--------------|---------|
| <aggregate from all tasks — group by brand, list distinct commands and which tasks use them> |
<If no integrations are used, state: "This playbook uses only built-in commands.">
## Error Handling
**Tasks with `continueonerror: true`:**
<bulleted list with task name and what happens on error>
**Tasks with explicit error branches:**
<bulleted list showing the error path and where it leads>
**Unhandled failure points:**
<bulleted list of tasks that call external APIs/integrations without error handling — these are risks>
<If error handling is comprehensive, state that and explain why.>
Use this template when generating Executive Summary documentation:
# Playbook Summary: <playbook name>
**Generated:** <date>
**Version:** <version>
**Tasks:** <count> | **Sub-Playbooks:** <count> | **Integrations:** <count>
## Purpose
<1-2 sentences describing what this playbook does and when it runs.>
## High-Level Flow
` ``mermaid
graph TD
<simplified flowchart — show only:
- Section headers (title tasks) as nodes
- Key decision points (condition tasks) as diamonds
- Sub-playbook calls as double-bordered nodes
- Start and end nodes
Skip individual regular/standard tasks — represent them as phases.>
` ``
## Key Decision Points
| Decision | Branches | Criteria |
|----------|----------|----------|
| <condition task name> | <branch names, comma-separated> | <brief description of what determines each branch> |
## Dependencies
**Integrations:** <comma-separated list of unique brands>
**Sub-Playbooks:** <comma-separated list of sub-playbook names>
**Automations:** <comma-separated list of unique scriptNames, excluding integration commands>
## Inputs Required
| Name | Required | Description |
|------|----------|-------------|
| <list only required inputs, or top 5 most important if many are defined> |
<If no inputs, state: "This playbook requires no inputs.">
separatecontext is trueinvestigation/playbooks/, reference itloop configuration: forEach target, exit condition, max iterationsdescription field, infer purpose from the command name, script arguments, and position in the flowdescription is empty, note it and provide an inferred overviewinputs or outputs arrays are empty, state it explicitly rather than omitting the sectioninvestigation/docs/ which is gitignored