Automation actions

Help Articles
1

Each step in an automation workflow is an action. The triggering event (e.g. “vulnerability detected”) is the first action in an automation after which all following actions are executed.

Image

Adding a new action
Actions are represented by nodes in the Automation Builder. A new action can be added to the workflow by dragging an edge from the output handle of an existing node. A new empty node will be created and a list of actions will appear in the right side panel. Select the action you want to add and the empty node will update accordingly.

Types of actions
Below is a list of the available actions and what they do:

  • Check if condition is true: runs a check to see if a specified condition is true such as “Priority equals High.”
  • Compare MAC addresses: compares two specified MAC addresses and allows the user to choose if the condition is true based on three outcomes: addresses are equal, OUI prefixes are equal, or resolved OUIs are equal.
  • Send HTTP request: sends an HTTP request to a specified URL.
  • Ping Address: sends an iCMP Echo request to a specified IP address from a hub.
  • Load an item: loads an item into the automation, which enables you to access or update its attributes in subsequent actions. For example, if the triggering event is “when vulnerability detected” you may want to load the MAC (an output variable of the vulnerability event) of the device that is affected to check if it’s a high priority asset.
  • Add a type to an item: associates an item with an item type.
  • Change an item attribute: identifies an item to update and the associated attributes to change.
  • Query for an item: unclear on the purpose of this action
  • Create an item: creates a new item and sets the initial attribute values.
  • Create an item link: creates a link between two items.
  • Load a hub: loads the attributes from a specified hub into the automation so they can be accessed in subsequent actions.
  • Send a message to a public channel: sends a Slack message to a channel.
  • Send email: sends an email to designated addresses.
  • Import (structured data): creates new items and links based on a tabular data format.
  • Custom actions: executes a pre-configured action or integration such as retrieving devices via a third-party API integration.

Using message composer
For every triggering event there exists a set of output variables, which provide context for subsequent actions in an automation. For example, the event “when vulnerability detected” includes the following output variables:

  • Hub ID: the id of the hub that detected the vulnerability
  • IP: the IP address of the device to which this vulnerability relates
  • MAC: the MAC address of the device to which this vulnerability relates
  • Remote IP: the IP address of the device to which this vulnerability relates
  • Remote MAC: the MAC address of the device to which this vulnerability relates
  • Type: a classification of the type of vulnerability
  • Message: a human-readable message providing information about the vulnerability
  • Time Fired: timestamp this vulnerability was detected

The message composer is how you input variables and text when configuring new actions. The following steps illustrate how the message composer is used to create an automation that alerts necessary stakeholders of a new vulnerability that has been detected on a high priority asset:

  1. Create a new automation with triggering event type “when vulnerability detected.”
  2. Add a new action for “Load an item.”
  3. Select the field “ID of item to load” to open the message composer.
  4. Begin typing “@” to reveal a list of available variables to choose from. In this example, select EVENT.mac. This is the variable that will contain the MAC address for the affected item.
  5. From the green edge of the “Load an item” node add a new action for “Check if condition is true.”
  6. Add a new condition and open the first dropdown menu. You will have many more options to choose from compared to when you were configuring the first “Load an item” action. The reason for that is because you now have access to all of the variable outputs from the original event and the “Load an item” action. For this example, we choose “LOAD_ITEM.item.priority” which is a variable for the priority of the MAC address that was loaded in the previous action. Then set it “equal” to “High.”
  7. From the green edge of the “Check if condition is true” node add a new action for “Send a message to a public channel.”
  8. Add the Slack channel you wish to send the message to
  9. Click the message field which will open the message composer. In this case, we won’t just add the variable. We want to add a message that will be sent to the public Slack channel. For example, we could write “A vulnerability that affects a high priority device with EVENT.mac has been detected.” Note that we can use the EVENT.mac variable to include the MAC address for the affected device.
  10. Finally, you can add a new action from the red edge (condition is not true) of the “Check if condition is true” similar to the one above that could alert the right folks to a lower priority vulnerability.