The Security Flow Waiter, Remove Pending Action, and Sync nodes provide the ability to manage an Incident by allowing for a user decision point, flow based removal of decision points, and synchronization points to manage manual and automated decision making. The changes made by the nodes are viewable on the Incident Timeline, Incidents Screen, and the Incidents List. For more information on status changes see Incident Statuses and Transitions.
The Pending Action & Sync nodes expose the following functionality:
- Pause a flow at a synchronization point until all messages are processed and, optionally, all pending actions are completed via the
- Create pending actions, user decision points, via the
- Remove existing pending actions via the
NL Remove Pending Actionnode.
- All messages have finished processing throughout the rest of the flows.
- A small delay has elapsed before continuing. This is to handle asynchronous messages coming from broadcast nodes. For example, the Virus Total integration may be configured to respond at a rate of once every 15 seconds.
NL-Waiternodes for the message are processed.
Remove Modeand, optionally, based on the
Batch Field. This node is useful for flows in which one decision can determine the behavior of the rest of the flow. For example, consider a phishing email containing a large number of unknown Indicators of Compromise (IoCs) within it. Those unknown IoCs are waiting for a decision to be made. Once a decision is made to distrust a single IoCs, the entire phishing email can be considered untrusted.
The flow used for this example is highlighted in orange.
NL Waiter nodes (6a, 6b, 6c) create the pending actions with the payload, timestamp, and configured buttons as shown below.
NL Remove Pending Action node used in this example is configured to remove all pending actions when the ‘Clear’ pathway is selected from one of the
NL Waiter nodes. The following entries are added to the Incident Timeline as shown below.