×
Built-In: Pending Action & Sync Nodes
Nevelex Labs Logo

Overview

The Security Flow Waiter, Remove Pending Action, and Sync nodes provide the ability to manage an Incident by allowing for a user decision point, flow based removal of decision points, and synchronization points to manage manual and automated decision making. The changes made by the nodes are viewable on the Incident Timeline, Incidents Screen, and the Incidents List. For more information on status changes see Incident Statuses and Transitions.

Functionality

The Pending Action & Sync nodes expose the following functionality:

  • Pause a flow at a synchronization point until all messages are processed and, optionally, all pending actions are completed via the NL Sync node.
  • Create pending actions, user decision points, via the NL Waiter node.
  • Remove existing pending actions via the NL Remove Pending Action node.

Flow Nodes

Changes the status of an Incident to indicate it is waiting for some type of user confirmation to continue the processing of the message within the flow. This process creates what is called a pending action. A SOC Analyst / user should look at the the Security Flow Incident timeline pending action to determine the desired outbound path of the message.
Property
Description
Name

The display name of the node within the flows.

Priority

Use the Priority field to order pending actions within an incident timeline. The priority is used to sort pending actions from highest value to lowest value. A higher priority value will show up above other pending actions in the incident timeline and, conversely, lower priority values will appear below other pending actions. The sorting applies to the view within a timeline and works across pending actions, regardless of the NL-Waiter.

Batching

If Batch Pending Actions is checked, pending actions with the same Incident ID will be batched into one pending action instead of one pending action per message received at the NL Waiter node.

Additionally, Batch On Field further ensures that batching is based on more than just the Incident ID. Batching is based on the value of the selected Batch Field. The field may be an object consisting of a hierarchy of data as well. Batch On Field mode is the recommend default configuration when dealing with Indicators of Compromise (IoCs).

Perform Batch on Field Across Incidents

Perform Batch on Field Across Incidents provides a mode of operation to process all pending actions across incidents with the same Batch Field on the same waiter node. When selected, all incidents waiting on the exact same field value will continue on with a single click irrespective of the Incident ID.

Configured Outputs (at least two)

Configured Outputs defines the list of outputs. There must always be at least two outputs. If less than two outputs are defined, additional defaults are added in automatically until two outputs are defined.

  • Output Label: The output label for the output. This label is also used for this path’s button when viewing on the Incident related UI pages.
  • Button Color: The button color for the output on the Incident related UI pages.
  • Button Icon: The button icon for the output on the Incident related UI pages.
A synchronization point in the flows to ensure all messages (msg objects) and, if desired, pending actions have completed processing before the node lets the message(s) through. When a message (msg object) arrives, the message is blocked until the following conditions are met:
  • All messages have finished processing throughout the rest of the flows.
  • A small delay has elapsed before continuing. This is to handle asynchronous messages coming from broadcast nodes. For example, the Virus Total integration may be configured to respond at a rate of once every 15 seconds.

Messages may also be conditionally blocked until all pending actions from the NL-Waiter nodes for the message are processed.

If Group By Message ID is unchecked and Join Messages is unchecked, every arriving message object will be passed along from this node regardless of message ID (msg._msgid).

If Group By Message ID is unchecked and Join Messages is checked, the first message is used as the template message and the data found at Combine Each is converted to an array. In a similar fashion to the join node, the Combine Each data from the remaining messages with the same message ID (msg._msgid) are appended to the array. A single message is passed along with an array in the Combine Each location.

If Group By Message ID is checked and Merge Grouped Messages is unchecked, only the first message object identified by message ID (msg._msgid) will be passed along from this node. Grouping is a useful mechanism to prevent multiple versions of the same message ID from reaching a point in the flow. This is useful for limiting operations which should only be done once for a message, such as an Office 365 (O365) Security and Compliance search.

If both Group By Message ID and Merge Grouped Messages are checked, non-conflicting portions of the message objects identified by message ID (msg._msgid) are merged together and a single merged message is passed along from this node. This is useful for combining information from disparate flow pathways back into a single message.

Property
Description
Name

The display name of the node within the flows.

Group By Message ID

Determines if messages are grouped together prior to sending out. If this is unchecked and Join Messages is unchecked, every arriving message object will be passed along from this node regardless of message ID (msg._msgid).

If Group By Message ID is checked and Merge Grouped Messages is unchecked, only the first message object identified by message ID (msg._msgid) will be passed along from this node. Grouping is a useful mechanism to prevent multiple versions of the same message ID from reaching a point in the flow. This is useful for limiting operations which should only be done once for a message, such as an Office 365 (O365) Security and Compliance search.

If both Group By Message ID and Merge Grouped Messages are checked, non-conflicting portions of the message objects identified by message ID (msg._msgid) are merged together and a single merged message is passed along from this node. This is useful for combining information from disparate flow pathways back into a single message.

Join Messages

When Group By Message ID is unchecked, this option is available for selection. If Join Messages is checked, the first message is used as the template message and the data found at Combine Each are converted to an array. In a similar fashion to the join node, all Combine Each data from the remaining messages with the same message ID (msg._msgid) are appended to the array.

While joining sounds similar to the behavior when both Group By Message ID and Merge Grouped Messages are checked, this mode creates an array of received data at Combine Each instead of merging data together.

Merge Grouped Messages

When both Group By Message ID and Merge Grouped Messages are checked, non-conflicting portions of the messages are merged together. Conflicting portions of the message are overwritten at the deepest level possible. This is useful for combining information from disparate flow pathways back into a single merged message.

Combine Each

If Group By Message ID is unchecked and Join Messages is checked, the Combine Each message data must exist in the incoming message and will be combined into an array stored at the same location upon output from this node.

Delay

The number of seconds the node waits before the message is passed on, if all conditions are met.

Pending Actions (NL Waiter)

By default, Pending Actions (NL Waiter) is checked. When checked, this node will block until every pending action has had a decision made. If unchecked, this node will not use pending actions to determine if blocking should be performed.

Removes pending actions from an Incident's timeline based on the selected Remove Mode and, optionally, based on the Batch Field. This node is useful for flows in which one decision can determine the behavior of the rest of the flow. For example, consider a phishing email containing a large number of unknown Indicators of Compromise (IoCs) within it. Those unknown IoCs are waiting for a decision to be made. Once a decision is made to distrust a single IoCs, the entire phishing email can be considered untrusted.
Property
Description
Name

The display name of the node within the flows.

Batch on Field

If Batch On Field is checked, the Batch Field must be supplied. This configuration is useful when a flow pathway trusts an Indicator of Compromise (IoC) after another pathway in the flow ended up at a NL-Waiter node requiring a choice. This allows for the clearing of a single pending action request based on the batched value.

Remove Mode

As defined by status transition rules in the system, a waiting Incident can not be closed until all pending actions are addressed. This node will clear out all the desired pending actions based on the selected Remove Mode.

  • Selected NL Waiter(s): Pending actions for the Incident blocked at the designated NL-Waiter nodes on the same tab. This is a safer mode of operation.
  • All Pending Actions: All pending actions for the Incident.

Learn More

Success

The flow used for this example is highlighted in orange.

The NL Waiter nodes (6a, 6b, 6c) create the pending actions with the payload, timestamp, and configured buttons as shown below.

The NL Remove Pending Action node used in this example is configured to remove all pending actions when the ‘Clear’ pathway is selected from one of the NL Waiter nodes. The following entries are added to the Incident Timeline as shown below.

Nevelex Labs, Main Office

Metro Office Park
2950 Metro Drive, Suite 104
Bloomington, MN 55425
Phone: +1 952-500-8921

©Nevelex Labs, LLC. 2018-2024, All Rights Reserved.

EULA