The Security Flow Waiter, Remove Pending Action, and Sync nodes provide the ability to manage an Incident by allowing for a user decision point, flow based removal of decision points, and synchronization points to manage manual and automated decision making. The changes made by the nodes are viewable on the Incident Timeline, Incidents Screen, and the Incidents List. For more information on status changes see Incident Statuses and Transitions.
The Pending Action & Sync nodes expose the following functionality:
- Pause a flow at a synchronization point until all messages are processed and, optionally, all pending actions are completed via the
- Create pending actions, user decision points, via the
- Remove existing pending actions via the
NL Remove Pending Actionnode.
- All messages have finished processing throughout the rest of the flows.
- A small delay has elapsed before continuing. This is to handle asynchronous messages coming from broadcast nodes. For example, the Virus Total integration may be configured to respond at a rate of once every 15 seconds.
Messages may also be conditionally blocked until all pending actions from the
NL-Waiter nodes for the message are processed.
If Group By Message ID is unchecked and Join Messages is unchecked, every arriving message object will be passed along from this node regardless of message ID (
If Group By Message ID is unchecked and Join Messages is checked, the first message is used as the template message and the data found at Combine Each is converted to an array. In a similar fashion to the join node, the Combine Each data from the remaining messages with the same message ID (
msg._msgid) are appended to the array. A single message is passed along with an array in the Combine Each location.
If Group By Message ID is checked and Merge Grouped Messages is unchecked, only the first message object identified by message ID (
msg._msgid) will be passed along from this node. Grouping is a useful mechanism to prevent multiple versions of the same message ID from reaching a point in the flow. This is useful for limiting operations which should only be done once for a message, such as an Office 365 (O365) Security and Compliance search.
If both Group By Message ID and Merge Grouped Messages are checked, non-conflicting portions of the message objects identified by message ID (
msg._msgid) are merged together and a single merged message is passed along from this node. This is useful for combining information from disparate flow pathways back into a single message.
Remove Mode and, optionally, based on the
Batch Field. This node is useful for flows in which one decision can determine the behavior of the rest of the flow. For example, consider a phishing email containing a large number of unknown Indicators of Compromise (IoCs) within it. Those unknown IoCs are waiting for a decision to be made. Once a decision is made to distrust a single IoCs, the entire phishing email can be considered untrusted.
The flow used for this example is highlighted in orange.
NL Waiter nodes (6a, 6b, 6c) create the pending actions with the payload, timestamp, and configured buttons as shown below.
NL Remove Pending Action node used in this example is configured to remove all pending actions when the ‘Clear’ pathway is selected from one of the
NL Waiter nodes. The following entries are added to the Incident Timeline as shown below.