Security Orchestration, Automation and Response (SOAR) provides basic system components to help users define playbook input and output parameters and build the workflow of basic playbooks.
Start/End
Each process must have start and end nodes. There can be only one start node but multiple end nodes.
The start node uses event as the default node name. Therefore, do not set the component name to event during playbook orchestration.
The parameters of the start node are described as follows:
Input parameters: Configure the conditions for triggering the playbook. When you select different conditions, the Input Parameter Wizard changes accordingly during testing.
Output parameters: Define the fields that are output after the playbook is executed. These fields can be used by subsequent nodes and can also be provided to other playbooks that reference them through the setOutput action.
The syntax for obtaining the output parameters of the start node is: ${event.parameter path}.
In addition to custom output parameters, the start node also provides default system parameters. For more information, see System parameters in playbooks (default parameters of start nodes).
Output gateway
Gateways control the execution branches and flow of a process. The process is shown in the following figure:
Gateway | Execution logic | Usage notes |
Default output gateway | Outputs multiple branches from one node and executes actions on all branches. | No component needs to be selected. You can complete the configuration by connecting the nodes. Note Condition configuration is not supported. |
Single output (exclusive gateway) | When a process has multiple branches, the action on the first branch that meets the condition is executed, and only one branch is executed. | The single output component must be selected, and relevant condition configuration is required. Note A default ELSE condition is provided for situations beyond custom conditions. |
Multiple output (inclusive gateway) | When a process has multiple branches, all branches that meet the conditions are executed. | The multi-output component must be selected, and relevant condition configuration is required. |
Default output gateway
Configuration instructions
Click the node and use lines to directly connect the current component node with downstream branch nodes. Condition configuration is not supported.
Single output (exclusive gateway)
Configuration instructions
In the basic node area, drag the Exclusive Gateway component to the flow editor canvas.
Click the Exclusive Gateway component. In the Basic Information tab on the right, click the Configure to enter the condition configuration page. After configuration, click OK to save the conditions for branch selection.
Based on your scenario, click ADD IF or AND ELSE IF to add a set of conditions. Each set of conditions corresponds to one flow branch. For condition configuration instructions, see Component condition configuration instructions. You can modify the condition name to better understand and distinguish the condition content.
Configure the gateway connection lines.
Place the pointer on the exclusive gateway icon and click the connection point to connect it to the branch node.
Click the connection line and select the condition configured in Step 2 from the dropdown list in the configuration page on the right.
ImportantA default ELSE condition is provided for situations beyond custom conditions.
Select different conditions for different lines.
Multiple output (inclusive gateway)
Configuration instructions
In the basic node area, drag the Inclusive Gateway component to the flow editor canvas.
Click the Inclusive Gateway component. In the Basic Information tab on the right, click the Configure button to enter the condition configuration page. After configuration, click OK to save the conditions for branch selection.
Based on your scenario, click ADD IF to add a set of conditions. Each set of conditions can correspond to multiple flow branches. For condition configuration instructions, see Component condition configuration instructions. You can modify the condition name to better understand and distinguish the condition content.
Configure the gateway connection lines.
Place the pointer on the inclusive gateway icon and click the connection point to connect it to the branch node.
Click the connection line and select the condition configured in Step 2 from the dropdown list in the configuration page on the right.
NoteDifferent lines can correspond to the same condition.
Input gateway
Two types of input gateways are supported. When branches execute normally, both gateways function the same. The difference lies in how they handle abnormal branch execution.
Gateway | Execution logic | Usage notes |
Default input gateway | Continues execution after all upstream branches have finished executing. Even if a branch reports an error, subsequent execution will continue. | No component selection is required. You can complete the configuration by using node connection lines. |
Parallel gateway | Waits for all upstream nodes to complete execution, then determines whether all "required" upstream branches have been executed. If the result is "yes," subsequent nodes are triggered. Otherwise, the node execution fails. |
|
Default input gateway
Configuration instructions
Click the node and connect the current component node to downstream branch nodes.
Parallel gateway
Configuration instructions
In the basic node area, drag the Parallel Gateway component to the flow editor canvas.
Configure the gateway connection lines.
Click the node and use connection lines to connect the current component node with the Parallel Gateway component.
Click the connection line and select "Required" or "Non-required" from the dropdown list in the configuration page on the right.
NoteIf you select "Required," it indicates that the current link node must be executed. Otherwise, subsequent nodes will not be triggered.
Child flow
Like a normal flow, a child flow also requires start and end nodes. Child flows can divide complex flows into groups for clearer display, and they also support loops.
Child flows and parent flows are in the same variable space. The data from the parent flow (including inputs, returns from upstream nodes, and variables) can be used in the child flow, and modifications to variables in the child flow will be reflected in the parent flow's results.
In subsequent nodes outside the child flow, you can obtain the result of the last execution of nodes within the child flow.
Child flow loop configuration instructions
Click the Start Loop button.
Choose Execution Mode:
Do-while: Execute the loop first, then check the condition after execution.
While-DO: Check the condition first, then execute if it is met.
Set the Maximum Loops to prevent infinite loops.
Set Loop-ending Condition: Parameters from all nodes executed in each iteration of the child flow can be used as judgment conditions. For parameter configuration, see Component condition configuration instructions.
Loop-ending logic
Each loop iteration ends when all executing nodes in the child flow for that iteration have finished.
For example: In the following scenario, the "Notification 2" node has completed execution and reached the end node, but the "Delay" node is still executing. The current iteration will wait until all executable nodes have finished before starting the next iteration of the loop.
Default loop parameters
Child flows provide default parameters that can obtain the current loop count for use by components within the child flow.
Loop count: Starts counting from 1, format is ${child flow name.curLoop}.
Loop index: Starts counting from 0, format is ${child flow name.curIndex}.
Example:
In a child flow, use the loop index in the NotifyMessage component when writing email to get array parameter values from the start node.
Component condition configuration instructions
In scenarios such as exclusive gateways, inclusive gateways, child flow loop exits, and filter components, you need to configure conditions for judgment to complete the corresponding functions. SOAR provides a common page to complete these configurations, with rules as follows:
Number | Description |
1-Logical operator | AND: All conditions must be met. OR: Meeting any one condition is sufficient. Important Logical operators can only determine the logical relationship between different rules within the same group. |
2-NOT switch | Negates the condition judgment for the current group. |
3-Add rule within group | Adds a rule within the group. The logical relationship between multiple rules within a group is determined by the 1-Logical operator in the upper left corner. |
4-Add condition group | Click to add a group of filtering conditions. Important The condition between different groups is fixed as AND and is not affected by the 1-Logical operator. |
5-Condition field | Supports input of expressions and constants, typically output fields from preceding nodes. |
6-Condition judgment rule | Supports operations such as IN, = for strings, numbers, and datasets. For specific instructions, see the filter component below. |
7-Condition value | Supports input of expressions and constants. |
Condition configuration example
Using the above figure as an example, when the name in the node is john or alice and age is between 12 and 20 (inclusive of boundary values), it will be determined as meeting the condition.
Condition judgment rule description
Rule | Description | Remarks |
NOT IN IP Dataset | Not in the IP dataset. | Datasets need to be configured in "Security Center-CTDR-Integration Center-Observation List" before they can be selected. |
IN IP Dataset | In the IP dataset. | |
NOT IN Dataset | Not in the dataset. | |
IN Dataset | In the dataset. | |
String| Equal | Equal. | None |
String| Not equal | Not equal. | None |
String| Contains | Contains. | Example: abc contains bc. |
String| Does not contain | Does not contain. | Example: abc does not contain d. |
String| Starts with | Starts with. | Example: abc starts with ab. |
String| Ends with | Ends with. | Example: abc ends with bc. |
String| Does not end with | Does not end with. | Example: abc does not end with ab. |
String| Regex match | Regular expression match. | Example: abcabc matches (abc)+. |
String| Not regex match | Not a regular expression match. | Example: abab does not match (abc)+. |
String| Is empty | Is an empty string. | Empty string, null, and NULL are all considered empty strings. |
String| Is not empty | Is not an empty string. | None |
Number| Equal | Equal. | None |
Number| Not equal | Not equal. | None |
Number| Greater than | Greater than. | None |
Number| Greater than or equal to | Greater than or equal to. | None |
Number| Less than | Less than. | None |
Number| Less than or equal to | Less than or equal to. | None |
Number| Range | Whether the numeric condition value is within the configured range. Format is "value,value". | Example: 1 is within the range of -1,5. |