
Overview
The Security Flow Waiter, Remove Pending Action, and Sync nodes provide the ability to manage an Incident by allowing for a user decision point, flow based removal of decision points, and synchronization points to manage manual and automated decision making. The changes made by the nodes are viewable on the Incident Timeline, Incidents Screen, and the Incidents List. For more information on status changes see Incident Statuses and Transitions.
Functionality
The Pending Action & Sync nodes expose the following functionality:
- Pause a flow at a synchronization point until all messages are processed and, optionally, all pending actions are completed via the
NL Sync
node. - Create pending actions, user decision points, via the
NL Waiter
node. - Remove existing pending actions via the
NL Remove Pending Action
node.
Flow Nodes
The display name of the node within the flows.
Use the Priority
field to order pending actions within an incident timeline. The priority is used to sort pending actions from highest value to lowest value. A higher priority value will show up above other pending actions in the incident timeline and, conversely, lower priority values will appear below other pending actions. The sorting applies to the view within a timeline and works across pending actions, regardless of the NL-Waiter
.
If Batch Pending Actions
is checked, pending actions with the same Incident ID will be batched into one pending action instead of one pending action per message received at the NL Waiter node.
Additionally, Batch On Field
further ensures that batching is based on more than just the Incident ID. Batching is based on the value of the selected Batch Field
. The field may be an object consisting of a hierarchy of data as well. Batch On Field
mode is the recommend default configuration when dealing with Indicators of Compromise (IoCs).
Perform Batch on Field Across Incidents
provides a mode of operation to process all pending actions across incidents with the same Batch Field
on the same waiter node. When selected, all incidents waiting on the exact same field value will continue on with a single click irrespective of the Incident ID.
Configured Outputs defines the list of outputs. There must always be at least two outputs. If less than two outputs are defined, additional defaults are added in automatically until two outputs are defined.
- Output Label: The output label for the output. This label is also used for this path’s button when viewing on the Incident related UI pages.
- Button Color: The button color for the output on the Incident related UI pages.
- Button Icon: The button icon for the output on the Incident related UI pages.
- All messages have finished processing throughout the rest of the flows.
- A small delay has elapsed before continuing. This is to handle asynchronous messages coming from broadcast nodes. For example, the Virus Total integration may be configured to respond at a rate of once every 15 seconds.
NL-Waiter
nodes for the message are processed.
The display name of the node within the flows.
When Group By Message ID
is checked and Merge Grouped Messages
is unchecked, any messages arriving at this node will be grouped by message ID and only the first message received is passed along. This is useful for onetime processing in a flow after this synchronization point. If Group By Message ID
is unchecked, every arriving message object will be passed along from this node regardless of message ID (msg._msgid
).
When both Group By Message ID
and Merge Grouped Messages
are checked, non-conflicting portions of the messages are merged together. Conflicting portions of the message are overwritten at deepest level possible. This is useful for combining information from disparate flow pathways back into a single merged message.
The number of seconds the node waits before the message is passed on, if all conditions are met.
By default, Pending Actions (NL Waiter)
is checked. When checked, this node will block until every pending action has had a decision made. If unchecked, this node will not use pending actions to determine if blocking should be performed.
Remove Mode
and, optionally, based on the Batch Field
. This node is useful for flows in which one decision can determine the behavior of the rest of the flow. For example, consider a phishing email containing a large number of unknown Indicators of Compromise (IoCs) within it. Those unknown IoCs are waiting for a decision to be made. Once a decision is made to distrust a single IoCs, the entire phishing email can be considered untrusted. The display name of the node within the flows.
If Batch On Field
is checked, the Batch Field
must be supplied. This configuration is useful when a flow pathway trusts an Indicator of Compromise (IoC) after another pathway in the flow ended up at a NL-Waiter
node requiring a choice. This allows for the clearing of a single pending action request based on the batched value.
As defined by status transition rules in the system, a waiting Incident can not be closed until all pending actions are addressed. This node will clear out all the desired pending actions based on the selected Remove Mode
.
- Selected NL Waiter(s): Pending actions for the Incident blocked at the designated
NL-Waiter
nodes on the same tab. This is a safer mode of operation. - All Pending Actions: All pending actions for the Incident.
Learn More
Success
The flow used for this example is highlighted in orange.
The NL Waiter
nodes (6a, 6b, 6c) create the pending actions with the payload, timestamp, and configured buttons as shown below.
The NL Remove Pending Action
node used in this example is configured to remove all pending actions when the ‘Clear’ pathway is selected from one of the NL Waiter
nodes. The following entries are added to the Incident Timeline as shown below.
Metro Office Park
2950 Metro Drive, Suite 104
Bloomington, MN 55425
Phone: +1 952-500-8921
©Nevelex Labs, LLC. 2018-2021, All Rights Reserved.
EULA