Generate Code with Quarterback AI Agent
Orchestrate introduces the Quarterback AI Agent that empowers you to leverage AI and generate Python code using prompts. You can use the Quarterback AI Agent-generated Python code to develop custom action and condition nodes to build playbooks. Using the Quarterback AI Agent, you can create custom code with speed and accuracy, significantly reducing manual coding time and improving productivity.
Note
This feature is available in Orchestrate Next Gen v3.12.7 onwards and is currently in Beta.
Before you Start
Ensure you have configured the OpenAI app and instance in Apps > Appstore. For more information, see Install and Configure the OpenAI App.
How does it work?
You may need to write custom Python code to parse important alerts, chunk lists, convert timestamps, and many other cases when creating a playbook. For example, you might want to write a function to parse IP address details from an SIEM JSON alert. In such cases, you can enter a prompt for the Quarterback AI Agent to generate the required code.
For examples of AI Assist prompts and responses to help you get started, see Example Prompts to Generate Code with Quarterback AI Agent
Where can you use Quarterback AI Agent Code Generator?
You can create custom Python code on custom action nodes and custom condition nodes.
To know how to use Quarterback AI Agent for custom action nodes, see Action Nodes.
To know how to use Quarterback AI Agent for custom condition nodes, see Condition Node.
Example Prompts to Generate Code with Quarterback AI Agent
The following are example prompts to help you create custom code using the Quarterback AI Agent. You can create and insert custom code on Action Nodes and Condition Nodes.
Note
The following example responses are for representation purposes only.
Prompt: Write a Python function to parse important details from an SIEM JSON alert.
Response:
import json
def script_function(siem_json_alert):
# Parse important details from SIEM JSON alert
alert_data = json.loads(siem_json_alert)
alert_id = alert_data.get('alert_id')
alert_type = alert_data.get('alert_type')
source_ip = alert_data.get('source_ip')
destination_ip = alert_data.get('destination_ip')
timestamp = alert_data.get('timestamp')
# Return parsed details
return alert_id, alert_type, source_ip, destination_ip, timestampDescription:
This function simplifies the extraction of key details from SIEM alerts in JSON format by encapsulating the parsing logic in a single function. For example, when a playbook node receives an alert in JSON format, you can call this function to return the relevant details, making it easier to use the data in subsequent steps of the workflow.
Prompt: Write a function to extract and convert data formats (JSON) from structure A to structure B. Make the extraction function generic, and do not hardcode any values. Add all imports needed.
structure a {
"entities": "{\"Ryuk\": \"malware\"}",
"code": 1200,
"status": "ok",
"reason": "Success"
}
structure b
{
"malware": "Zeus"
}Response:
import json
def script_function(siem_json_alert):
# Parse important details from SIEM JSON alert
alert_data = json.loads(siem_json_alert)
alert_id = alert_data.get('alert_id')
alert_type = alert_data.get('alert_type')
source_ip = alert_data.get('source_ip')
destination_ip = alert_data.get('destination_ip')
timestamp = alert_data.get('timestamp')
# Return parsed details
return alert_id, alert_type, source_ip, destination_ip, timestampDescription:
The script_function takes Structure A as input, extracts the entities field, and converts it into Structure B. The function is written generically, without hardcoding values, so it can transform any key–value pairs within entities into the required format. This example demonstrates how to convert between different JSON structures while preserving flexibility.
Prompt: Write a function to chunk a list of items based on a max chunk size. Return a list of lists.
Response:
def script_function(items, max_chunk_size):
chunked_list = []
for i in range(0, len(items), max_chunk_size):
chunked_list.append(items[i:i + max_chunk_size])
return chunked_listDescription:
This function splits a list into smaller chunks based on a specified maximum size. It is especially useful for processing large datasets in smaller, manageable batches.
Prompt: Create a function to determine if a given timestamp is older than 24 hours. Return true if it is, otherwise return false.
Response:
import datetime
def script_function(timestamp: datetime.datetime) -> bool:
current_time = datetime.datetime.now()
time_difference = current_time - timestamp
if time_difference.total_seconds() > 24*60*60:
return True
else:
return FalseDescription:
This function checks whether a given timestamp is older than 24 hours by comparing it to the current system time. It encapsulates the verification logic in a reusable function that returns True if the timestamp is older than 24 hours, and False otherwise.
Prompt: Write a function to convert timestamps to YYYY-MM-DD:HH
Response:
import datetime
def script_function(timestamps: list) -> list:
formatted_timestamps = []
for ts in timestamps:
formatted_ts = datetime.datetime.utcfromtimestamp(ts).strftime('%Y-%m-%d:%H')
formatted_timestamps.append(formatted_ts)
return formatted_timestampDescription:
This code takes a list of Unix timestamps and converts each one into a human-readable date and time string. The output format is YYYY-MM-DD:HH, where YYYY represents the year, MM the month, DD the day, and HH the hour in 24-hour format. The function returns a list of formatted strings, making it easy to work with multiple timestamps at once.
Prompt: Write a function to convert a list of lists into a CSV file, assuming the first list is the headers.
Response:
import csv
def script_function(data: list) -> None:
with open('output.csv', 'w', newline='') as file:
writer = csv.writer(file)
writer.writerows(data)Description:
This code converts a list of lists into a CSV file, using the first list as headers. The function writes all the data to the specified file (default: output.csv) and returns the name of the generated file.