Skip to main content

Cyware Orchestrate

Action Nodes

An action node represents a task to be performed as part of a workflow. It can be defined as an action provided by a third-party app or a custom app (app action node), a custom-built action created by the user (custom action node), or a sub-playbook that can be executed as part of the larger playbook (playbook action node).

You can add and configure the following action nodes:

App Action Node

An app action node represents an action provided by a third-party app or a custom app. An app action node contains the list of applications and their respective actions. For example, an app action node could represent a task in a security tool, such as creating a ticket in a ticketing system.

Sample Process

Screenshot_2023-03-02_at_11_46_42_PM.png

Steps

To configure an app action node, do the following:

  1. From the Nodes list, under Action, drag and drop the App node to the canvas.

  2. You can search for an action in two ways. You can either use the Search by Apps and then select the required action and the app version, or you can directly use the Search by Actions.

    To add other nodes from a specific node, select the node and click Add Node. You can drag and drop any node type to connect from the existing node.

    Note

    App versions that have not undergone thorough testing and are directly launched on the production appstore are identified as Beta versions. To indicate the Beta version of apps, the Appstore will display the Beta label alongside the app version number on the app details page. If the latest released version of an app is a Beta version, then the My Apps and Appstore listing page will also display the Beta tag for the app. Once applied, the Beta tag remains unchanged and is not removed for an app version.

  3. (Optional) To view details of the app and the supported actions, click View Documentation. The app documentation opens in a new tab.

  4. Configure the following optional parameters:

    1. Abort Playbook If This Node Fails: Select this option to terminate the Playbook if the node fails to execute.

    2. Run Asynchronously: Enable this option to run a node independent of the playbook. Run Asynchronously is available for a playbook action node (sub-playbook) and Cyware agent-enabled app action node. You cannot utilize the output of a playbook node that will run asynchronously as an input to another node of the Playbook workflow.

    3. Action Retry Count: Configure the number of times an action should be automatically re-executed on failure. Analysts can configure the action retry count when temporary node failures are expected, and a retry is likely to succeed, allowing the overall flow to continue and avoid manual intervention. You can configure the action retry count in the range of 1 to 15.

    4. Action Retry Interval: Configure the interval in seconds after which a node can attempt to re-execute a failed action.

  5. Select one or more App Instances to interact with an application. If an app instance is not available for an app, you can also create a new instance from the Playbook canvas by clicking New Instance. For more information, see Add Instances. You can add multiple instances to an app node to retrieve data from multiple instances without configuring a dedicated node for each instance.

    Note

    While adding multiple app instances to a node, you cannot add instances that are agent-compatible and non-agent-compatible simultaneously.

  6. In Setup Input Data, pass the optional or required input values to the app node. You can pass static or dynamic values to an app node. If the input required to execute a node is dependent on the output parameters of another node, you must define the input data using dynamic path expressions. For more information, see Playbook Input and Output.

    You can also choose to configure the following optional parameters:

    1. Save Node Input: Choose to exclude the node input from the run logs by disabling this option to optimize data storage.

    2. Iterate over each item: Enable this option to iterate the node execution over a list of input values. For example, this option executes the node for each entry in $LIST[john.doe@example.com, joe.doe@example.com, mark@example.com].

    3. View the dynamic path of other node results: You can click {} (curly parentheses) in each input field and view the dynamic path of other node results and then customize it based on your requirements.

  7. Under Set Output Data, confirm the following optional configurations:

    1. Save Node Output: Select this option to save the entire node output in run logs.

    2. Save Customized Result: You can choose to save the customized node result. For more information, see Manage Output of a Playbook Node

  8. Under Describe This Node, add a brief description of the node. It is recommended to add a relevant description for the node as analysts can use this for their reference, and click Save.

Best Practices for Using App Action Node

  • Before using an app action in the playbook, refer to the app documentation to understand the app and the associated actions.

  • Leverage the Save Customized Result feature if the data returned from the app action is excessive. This feature allows you to parse and utilize only the required data fields from the result.

  • Disable the Save Node Output to skip saving the excessive output data or if the output is sensitive.

Custom Action Node

A custom action node is a custom-built action created by developers to perform a specific task that is not covered by the app action nodes. Custom action nodes can be developed in the Python code editor and executed through the Playbook canvas.

For example, you can create a custom action node to filter a list of indicators based on specific criteria.

Sample Process

Screenshot_2023-03-02_at_11_51_24_PM.png

Steps

To configure a custom action node, do the following:

  1. From the Nodes list, under Action, drag and drop the Custom node to the canvas.

    To add other nodes from a specific node, select the node and click Add Node. You can drag and drop any node type to connect from the existing node.

  2. Configure the following optional parameters:

    1. Abort Playbook if this node fails: Select this option to terminate the Playbook if the node fails to execute.

    2. Save Node Output: Select this option to save the entire node output in run logs.

  3. In Setup Input Data, pass the optional or required input values to the node. You can pass static or dynamic values to the node. the input required to execute a node is dependent on the output parameters of another node, you must define the input data using dynamic path expressions. For more information, see Playbook Input and Output.

    You can also choose to configure the Save Node Input parameter. To optimize data storage, you can choose to exclude the node input from the run logs by disabling this option.

  4. Custom Code: Write the custom code (Python) or insert a code snippet from the Resource Library. For more information, see Code Snippets.

    • To insert a code snippet, click Select Code Snippet and select a snippet from the list. You can choose to preview a code snippet before inserting it. To preview and insert a code snippet, click Preview > Use Snippet.

      You can modify the code snippet and click Save as Snippet. Modifying the inserted code breaks the reference with the selected code snippet. 

      The script internally uses the following parameters.

      • Import Statements: Imports the internal Python modules defined in Python Module Index and the external Python modules such as xmltodict==0.12.0, feedparser==6.0.4, and json2html==1.3.0.

      • def script_function: This is the default calling function that cannot be modified.

      • Write code here: Write the custom Python code here, as per the requirement.

      • Return: Define the return values, as per requirement.

        Example:

        from datetime import date
def script_function():
    today = date.today()
    return today

    • To create custom code using AI Assist, click AI Assist, enter your prompt, and click send. The AI Assist tool creates a custom code based on your query.

      AI Assist makes it easier for developers to write code custom code by entering a prompt describing what the code should do, and AI Assist automatically generates the code. AI Assist can also verify your code and translate code from one programming language to another. See example prompts to get started with AI Assist.

      • To view the previous response, click the Revert to previous response button. This will undo the latest response and revert to the previous one. Please note that you can only revert to the immediate previous response.

      • To insert the AI-generated code into your custom node, click Insert Code in Custom Node.

      Note

      The token limit resets at midnight (00:00 Hrs UTC) every day automatically.

  5. Under Describe This Node, add a brief description of the node. It is recommended to add a relevant description for the node as analysts can use this for their reference, and click Save.

Best Practices for Using Custom Action Node

  • Add comments in the code for better readability and maintenance.

  • Use an action-specific name for the custom node that describes its purpose. For example, Parse Incident Data.

  • Optimize the space and time complexity of the code.

  • .Create a custom node to perform a specific task for improved performance and easy maintenance. A custom node that performs multiple tasks may take additional time to execute.

Playbook Action Node

A playbook action node is a sub-playbook that can be executed as part of the larger playbook. This allows you to reuse existing playbooks and keep your playbooks modular and organized.

Note

It is not recommended to create a playbook in which the master playbook and a sub-playbook run in a cycle.

For example, you can add a sub-playbook node to enrich an indicator and pass the indicator details to the master Playbook.

Sample Process

Screenshot_2023-03-02_at_11_53_16_PM.png

Steps

To configure a Playbook action node, do the following:

  1. From the Nodes list, under Action, drag and drop the Playbook node to the canvas.

  2. Select a sub-playbook from the drop-down list. You can select only active Playbooks from the list.

    To add other nodes from a specific node, select the node and click Add Node. You can drag and drop any node type to connect from the existing node.

  3. Configure the following optional parameters:

    1. Abort Playbook if this node fails: Select this option to terminate the Playbook if the node fails to execute.

    2. Run Asynchronously: Enable this option to run a node independent of the playbook workflow. Run Asynchronously is available for a playbook action node (sub-playbook) and Cyware agent-enabled app action node. You cannot utilize the output of a playbook node that will run asynchronously as an input to another node of the Playbook workflow.

  4. In Setup Input Data, pass the optional or required input values to the node. You can pass static or dynamic values to the node. the input required to execute a node is dependent on the output parameters of another node, you must define the input data using dynamic path expressions. For more information, see Playbook Input and Output.

    You can also enable Iterate over each item to iterate the node execution over a list of input values. For example, this option executes the node for each entry in $LIST[john.doe@example.com, joe.doe@example.com, mark@example.com].

  5. Under Describe This Node, add a brief description of the node. It is recommended to add a relevant description for the node as analysts can use this for their reference, and click Save.