Condition Node
A condition node executes a branch of a Playbook based on conditional expressions. Condition nodes can also include sub-conditions, allowing more complex logical expressions to be constructed. Sub-conditions are connected by logical operators such as AND and OR.
You can add and configure the following condition nodes:
Regular Condition Node
The regular condition node is used to execute a branch of a playbook based on standard conditional expressions such as equals, greater than, less than, and more.
For example, you can configure a regular condition node to compare the threat level (low or high) of an indicator from multiple sources and execute a branch of the playbook.
Sample Process
 |
Steps
To configure a regular condition node, follow these steps:
From the Nodes list, drag and drop the Regular Condition node to the canvas.
In the Node Details tab, configure the node details:
In Basic Info, enter the following details:
Node Title: Enter a title for the condition node.
Description: Add a brief description of the node. It is recommended to add a relevant description for the node, as analysts can use this for their reference.
Abort playbook if this node fails: Select this option to terminate the playbook if the node fails to execute.
In Conditions, configure the following parameters:
Condition Name: Enter the condition name.
Field Type: Select a field type from integer, string, boolean, and float.
LHS and RHS values: Enter the left-hand side (LHS) and right-hand side (RHS) values of the condition.
Generate Dynamic Path: You can add a dynamic path in the RHS and LHS fields to retrieve values from other nodes. Click {} (curly braces) in the LHS or RHS field and select relevant options for the following fields:
Nodes: Select a node type, such as App Action, Playbook, Input, or Memory.
Note
If the action node is selected, the default instance is used to generate the dynamic path.
Node: Select a node using the dropdown to generate a dynamic path.
Response Keys: Select the response key to retrieve values from the selected node.
Note
If custom output is configured for the selected node, you can choose from the defined keys.
Preview: View the generated dynamic path before adding it. The dynamic path is generated based on the options you have selected for Node, Response Key, and more.
To add the dynamic path in the Input Data, click Add. The values for the dynamic path will be retrieved automatically during the playbook execution.
To add a field, click Add Field.
Operators: Select one of the following supported operators for each field type.
Equals (=): Condition is true if the value on the LHS is the same as the value on the RHS.
Greater Than (>): Condition is true if the value on the LHS is greater than the value on the RHS.
Greater Than Equals (>=): Condition is true if the value on the LHS is greater than or equal to the value on the RHS.
Less Than (<): Condition is true if the value on the LHS is less than the value on the RHS.
Less Than Equals (<=): Condition is true if the value on the LHS is less than or equal to the value on the RHS.
Not Equals (!=): Condition is true if the value on the LHS is not equal to the value on the RHS.
Contains (*az*): Condition is true if any of the string values on the LHS are present on the RHS.
Doesn't Contain!(*az*): Condition is true if the string values on the LHS are not present on the RHS.
Starts with (az*): Condition is true if the string value on the LHS starts with the value in RHS.
Doesn't Start With !(az*): Condition is true if the string value on the LHS does not start with the value in the RHS.
Ends With (*az): Condition is true if the value on the LHS ends with the value on the RHS.
Doesn't End With !(*az): Condition is true if the value on the LHS does not end with the value on the RHS.
To add a condition, click Add Condition. To delete a condition, click the Delete icon corresponding to the condition.
Click Save.
Custom Condition Node
The custom condition node is used to execute a branch of a Playbook based on custom conditions that cannot be expressed using a regular condition node. Custom node is developed using a Python code editor that allows for the creation of custom tests and other logic.
For example, you can configure a custom condition node to check threat enrichment results and, based on threat levels such as low or high, execute a branch of the Playbook.
Steps
To configure a custom condition node, follow these steps:
From the Nodes list, drag and drop the Custom Condition node to the canvas.
In the Node Details tab, configure the node details:
In Basic Info, enter the following details:
Node Title: Enter a title for the condition node.
Description: Add a brief description of the node. It is recommended to add a relevant description for the node, as analysts can use this for their reference.
Abort playbook if this node fails: Select this option to terminate the playbook if the node fails to execute.
In Conditions, configure the following parameters:
Condition Name: Enter the condition name.
Key and Value: Define input for the custom condition as a key-value pair. To add a parameter, click Add Parameter.
Generate Dynamic Path: You can add a dynamic path to retrieve values from other nodes. Click {} (curly braces) in the Value field and select relevant options for the following fields:
Nodes: Select a node type, such as App Action, Playbook, Input, and Memory, to generate the dynamic path.
Note
If the action node is selected, the default instance is used to generate the dynamic path.
Node: Select a node using the dropdown to generate a dynamic path.
Response Keys: Select the response key to retrieve values from the selected node.
Note
If custom output is configured for the selected node, you can choose from the defined keys.
Preview: View the dynamic path generated based on the options selected for Node, Response Key, and other fields before adding it as Input Data.
Custom Code: Write the custom code (Python) or insert a code snippet from the Resource Library. For more information, see Code Snippets.
To insert a code snippet, click Code Snippet and select a snippet from the list. You can modify the code snippet and click Insert Snippet. Inserting the snippet code will replace any existing information. You can also Copy the code and use it.
The script internally uses the following parameters:
Import Statements: Imports the internal Python modules defined in Python Module Index and the external Python modules such as xmltodict==0.12.0, feedparser==6.0.4, and json2html==1.3.0.
def script_function: This is a built-in function that cannot be modified.
(**parameters): Define input parameters inside the container (), as per the requirement.
Write your custom code here: Write the custom Python code here, as per your requirement.
Return: Define the return values, as per your requirement.
To add a condition, click Add Condition. To delete a condition, click the Delete icon corresponding to the condition.
Click Save.
Manage Code Snippets
You can perform the following actions to manage code snippets inside a condition node:
Copy: To copy the code snippet and use it, click More and select Copy.
Save as Code Snippet: When you modify an existing code, the snippet code can be saved as a new code snippet. To save a modified snippet as a new snippet, click More and select Save as Code Snippet. Enter a name for the snippet and description, and click Save.
Clear All: To clear the existing code, click More and select Clear All.