Kaspersky Next XDR Expert
1.1.9

Contents

Execution step parameters

The array of execution step elements describes a playbook's logic. The execution steps are performed in the order described in the playbook. There are several types of execution steps:

  • ResponseAction
  • Split
  • Scatter-gather
  • Switch
  • UpdateData

ResponseAction parameters

The Response action parameters call the response function.

Parameter ID

Description

function

An object that defines a response action. For more information, refer to ResponseFunction parameters.

filterProduct

This parameter allows you to filter components to perform a response action. When requested, the component plug-ins are filtered by allowed and restricted components.

For example, the parameter can be specified as follows:

"filterProduct": { "allowed": ["PRODUCT_NAME"] }

output

This parameter allows you to edit the value returned by the response action, by using a jq expression and placing it in the playbook data (local or operational).

timeout

This parameter allows you to set timeouts for calling the response function. You can specify the name of the timeout policy set in the playbook or set timeout values manually.

If the value is not specified, the default timeout is applied.

manualApprove

This parameter allows you to configure a manual approval of a response action. Possible values:

  • Boolean value:
    • true—Manual approval is enabled with default parameters.
    • false—Manual approval is disabled.
  • Object ManualApprove.

onError

This parameter defines the behavior when an error occurs during the execution of a response action. Possible values:

  • stop—Defines the termination of the playbook in case of an error during the execution of the response action.
  • continue—Defines that the playbook execution will continue, even if one of the response actions completes with an error. In this case, the playbook launches the next response action specified in the algorithm.

By default, the value is stop.

Note that, if a system error occurs, the playbook execution completes with an error regardless of the specified value of the onError parameter.

Timeout policy

The timeout policy of execution steps. The system automatically determines the default timeout policy.

The default timeout policy can be reconfigured by using the default policy name. In this case, the new policy will be automatically applied to all execution steps.

Parameter ID

Description

name

Timeout policy name.

scheduleToCloseTimeout

The maximum execution time, including waiting in the queue and retries. The parameter is specified in the Go string format.

If the value is not specified or 0, the value from the playbookRunTimeout field is used.

Output

The output parameter generates operational data at the end of a step, which will then be transferred to the next step. Specify the output parameter if you want to use the results of the current step of the playbook in the next step.

To avoid overloading the system, it is recommended to limit the data placed in the playbook data (local or operational).

Parameter ID

Description

action

This parameter defines whether the playbook data (local or operational) will be overwritten or merged. Possible values:

  • merge—The new data is merged with the current data.
  • overwrite—The current data is overwritten with new data.

filter

This parameter defines the jq expression for processing output data.

Manual approve

Parameter ID

Description

timeout

The timeout for manual approval in minutes. The minimum value is 10 minutes (10m), the maximum is 180 minutes (180m).

By default, the value is 60 minutes (60m).

emailNotifications

This parameter allows you to configure the sending of email notifications.

Email notification settings

Parameter ID

Description

enabled

Flag for enabling email notifications.

delay

This parameter defines the delay before sending the email notification. The value is specified in minutes.

The minimum value is 5 minutes (5m), the maximum is 30 minutes (30m).

By default, the value is 10 minutes (10m).

Page top
[Topic 270333]

Split

Before specifying the split parameter, make sure that the aggregate parameter is also specified in the playbook algorithm.

The split parameters are used to split the array of incoming data by elements and to perform various actions on the elements.

Parameter ID

Description

input

A jq expression for composing an array or referencing an array.

aggregate

This parameter allows you to configure aggregation rules by using a jq expression.

output

Configuring how to apply the output data to the current playbook data. Possible values:

  • String constant: merge or overwrite.
  • Object Output.

mode

Split operation mode. Possible values:

  • parallel—Defines that all elements are processed in parallel. The number of threads is controlled by the interpreter.
  • sequence—Defines that all elements are processed sequentially.

By default, the value is parallel.

batchSize

This parameter allows you to specify the number of array elements that will be processed in one loop or one parallel thread. You can use this parameter if the plug-in function limits the number of input elements.

For example, if a plug-in function can handle no more than 10 elements in one loop, you can specify the following parameter value: batchSize=10.

By default, the value is 1.

onError

This parameter defines the behavior when an error occurs in one of the branches. Possible values:

  • stop—Defines the termination of all branches if an error has occurred. The other branches will continue to run.
    • If mode=sequence, after an error occurs in one branch, all subsequent branches will be stopped.
    • If mode=parallel, after an error occurs in one branch, all branches will continue to run independently of each other.
  • continue—Defines the stop of one of the branches where the error occurred. The other branches will continue to run.

By default, the value is stop.

steps

Array of execution steps.

Page top
[Topic 270351]

Scatter-gather

Before specifying the scatter-gather parameter, make sure that the aggregate parameter is also specified in the playbook algorithm.

The Scatter-gather parameters are used to perform several actions on the data at the same time. Unlike Split, Scatter-gather transmits the same input data to different execution branches.

Parameter ID

Description

input

A jq expression for composing an array.

aggregate

This parameter allows you to configure aggregation rules by using a jq expression.

output

Configuring how to apply the output data to the current playbook data. Possible values:

  • String constant: merge or overwrite.
  • Object Output.

onError

This parameter defines the behavior when an error occurs in one of the branches. Possible values:

  • stop—Defines the termination of all branches if an error has occurred. The other branches will continue to run.
  • continue—Defines the stop of one of the branches where the error occurred. The other branches will continue to run.

By default, the value is stop.

branches

Execution branches.

Branch

Parameter ID

Description

name

The name of the branch that is unique within Scatter-gather.

steps

Array of execution steps.

Page top
[Topic 270352]

Switch

An execution step that allows you to perform a step or set of steps according to a condition. Note that only the first verified condition will be executed.

Parameter ID

Description

conditions

Array of conditions.

Condition

Parameter ID

Description

condition

A jq expression that contains execution conditions.

steps

Execution steps for the current branch.

Page top
[Topic 270354]

UpdateData

The UpdateData parameter can be described either as a jq script with state change logic, or as an Output object.

Page top
[Topic 270355]