Condition Node
A condition node executes a branch of a Playbook based on conditional expressions. Condition nodes can also include sub-conditions, allowing more complex logical expressions to be constructed. Sub-conditions are connected by logical operators such as AND and OR.
You can add and configure the following condition nodes:
Regular Condition Node
The regular condition node is used to execute a branch of a playbook based on standard conditional expressions such as equals, greater than, less than, and more.
For example, you can configure a regular condition node to compare the threat level (low or high) of an indicator from multiple sources and execute a branch of Playbook.
Sample Process
 |
Steps
To configure a regular condition node, do the following:
From the Nodes list, under Condition, drag and drop the Regular to the canvas.
Enable Abort Playbook If This Node Fails to terminate the Playbook if the node fails to execute.
Under Define your conditions, configure the following parameters:
Condition Name: Enter the condition name.
Field Type: Select a field type from integer, string, boolean, and float.
LHS and RHS values: Enter the left-hand side (LHS) and right-hand side (RHS) values of the condition.
Operators: Select one of the following supported operators for each field type.
Equals (=): Condition is true if the value on the LHS is the same as the value on the RHS.
Greater Than (>): Condition is true if the value on the LHS is greater than the value on the RHS.
Greater Than Equals (>=): Condition is true if the value on the LHS is greater than or equal to the value on the RHS.
Less Than (<): Condition is true if the value on the LHS is lesser than the value on the RHS.
Less Than Equals (<=): Condition is true if the value on the LHS is less than or equal to the value on the RHS.
Not Equals (!=): Condition is true if the value on the LHS is not equal to the value on the RHS.
Contains (*az*): Condition is true if any of the string values on the LHS is present on the RHS.
Doesn't Contain !(*az*): Condition is true if the string values on the LHS are not present on the RHS.
Starts with (az*): Condition is true if the string value on the LHS starts with the value in RHS.
Doesn't Start With !(az*): Condition is true if the string value on the LHS does not start with the value in RHS.
Ends With (*az): Condition is true if the value on the LHS ends with the value on the RHS.
Doesn't End With !(*az): Condition is true if the value on the LHS does not end with the value on the RHS.
Sub-expression: You can click Expression, select from either AND or OR, and configure the condition expression.
Under Describe This Node, add a brief description of the node. It is recommended to add a relevant description for the node as analysts can use this for their reference, and click Save.
Custom Condition Node
The custom condition node is used to execute a branch of a Playbook based on custom conditions that cannot be expressed using a regular condition node. Custom node is developed using a python code editor that allows for the creation of custom tests and other logic.
For example, you can configure a custom condition node to check threat enrichment results and based on threat levels such as low or high, execute a branch of the Playbook.
Sample Process
Steps
To configure a custom condition node, do the following:
From the Nodes list, under the Condition node, drag and drop the Custom to the canvas.
Choose to enable Abort Playbook If This Node Fails to terminate the Playbook if the node fails to execute.
Under Define your conditions, configure the following parameters:
Condition Name: Enter the condition name.
Click +Parameter and define input for the custom condition as key-value pair.
Write Your Custom Condition Here: Write the custom code (Python) or insert a code snippet from the Resource Library. For more information, see Code Snippets.
To insert a code snippet, click Select Code Snippet and select a snippet from the list. You can modify the code snippet and click Save as Snippet. Modifying the inserted code breaks the reference with the selected code snippet.
The script internally uses the following parameters.
Import Statements: Imports the internal Python modules defined in Python Module Index and the external Python modules such as xmltodict==0.12.0, feedparser==6.0.4, and json2html==1.3.0.
def script_function: This is the default calling function that cannot be modified.
(**parameters): Define input parameters inside the container (), as per the requirement.
Write code here: Write the custom Python code here, as per the requirement
Return: Define the return values, as per requirement.
To create custom code using AI Assist, click AI Assist and enter your prompt as a description. The AI Assist tool creates a custom code based on your prompt.
AI Assist makes it easier for developers to write code custom code by entering a prompt describing what the code should do, and AI Assist automatically generates the code. It can also verify your code and translate code from one programming language to another. See example prompts to get started with AI Assist.
To view the previous response, click Revert to previous response. This will undo the latest response and revert to the previous one. Please note that you can only revert to the immediate previous response.
To insert the AI-generated code into your custom node, click Insert Code in Custom Node.
Note
The token limit will reset at midnight (00:00 Hrs UTC) every day automatically.
Click +Condition to add additional conditions.
Under Describe This Node, add a brief description of the node. It is recommended to add a relevant description for the node as analysts can use this for their reference, and click Save.