Path-C2: Parse Requested Action and Process

Overview

This parallel logic path processes the information passed in by the external/third-party entity (via HTTP Request Body) to determine if it is a known alert type and if there is an available remediation action.

C2: Set actionName (a Variables: Set Primitive Name Runbook Node) analyzes the Runbook setting runtime.alert_name (refer to Webhook Runbook Step-1: Entry-point) to determine an associated remediation (i.e. if found, store the associated remediation in variable runtime.actionName).

D2: alert_name (a Logic: Decision Branch Runbook Node) analyzes the supplied Alert Name to determine processing path.

Path-E2: Logic sub-path that executes when the Runbook receives alert_name: Low Disk Space.

E2: Get Alert Detail and Remediation Action (a Functions: Transform Runbook Node) converts the Runbook runtime-variables as output properties of this node (that get passed to subtending nodes).

F2: Display Alert and Remediation Detail (a Visualizations: Table Runbook Node) displays certain Alert information in a table.

Path-E3:Logic sub-path that executes when the Runbook receives an unknown alert_name.

E3: Display Unknown Alert (a Visualizations: Text Runbook Node) displays unknown Alert information in text.

C2: Variables: Set Primitive Variable - Set actionName

This Runbook Node analyzes the setting of a Runbook Variable (runtime.alert_name) to initialize another Runbook Variable: runtime.actionName.

The Variables: Set Primitive Variable node is configured with a Liquid Template that analyzes the setting of runtime.alert_name and sets runtime.actionName accordingly. Automation can then access the new Runbook runtime.actionName variable for processing.

Placement of the Variables: Set Primitive Variable node on the Canvas in the Runbook Editor

There are two methods to place the Variables: Set Primitive Variable node in the canvas of the Runbook Editor.

Find Variables: Set Primitive Variable in the palette on the left-side of the Runbook Editor and drag it onto the canvas to the right of the preceding Variables: Set Primitive Variable node:
1. The preceding Variables: Set Primitive Variable node will provide the data and context input for the Variables: Set Primitive Variable node. Connect the data flow from preceding Variables: Set Primitive Variable to Variables: Set Primitive Variable
Alternatively, click on the plus sign on the preceding Variables: Set Primitive Variable node (already on the canvas) to reveal a pop-up menu of relevant nodes. Then, find and select the Variables: Set Primitive Variable node.

NOTE: this method automatically connects the data flow from the preceding Variables: Set Primitive Variable] to the newly placed Variables: Set Primitive Variable.

Variables: Set Primitive Variable: Placement on the canvas

Configuration of the Node to identify a Remediation Action based on the received Alert Name

NOTE: Prerequisite Runbook runtime variables are assumed to have already been defined.

The Variables: Set Primitive Variable node, must be configured with a Liquid Template to analyze the setting of runtime.alert_name, and sets runtime.actionName accordingly:

In the Variables: Set Primitive Variable editor card on the right, go to the “Variables to Set” area and:
1. Press “Set another Variable” to add the predefined Runbook runtime variable runtime.actionName to this node:
  1. Ensure Scope: Runbook execution is selected.
  2. Then, find and specify Variable Name: runtime.actionName
Next, configure the “Template to Assign Value to Variables” area.

NOTE: This area of the node configuration uses Liquid-templates to define data formats and processing logic. Refer to Working With Liquid Templates.
1. This Runbook Node uses the following Liquid template to map the runtime.alert_name setting (parsed out of the HTTP-Request Body earlier), to an associate remediation action (i.e. runtime.actionName): (the following Liquid-template can be copy-pasted into the TEMPLATE-panel)
  Click to reveal template
  Copy
  {% assign alert_name = variables["runtime.alert_name"] %} { {% if alert_name == "Low Disk Space" %} "runtime.actionName": "Empty Recycle Bin1" {% elsif alert_name == "Weak WiFi" %} "runtime.actionName": "weakWifiAction" {% else %} "runtime.actionName": "noActionName" {% endif %} }
Click “Save & Close” to save this node configuration.

Variables: Set Primitive Variable: Configured (and Customized)

D2: Logic: Decision Branch - alert_name

At times there is a need for an automation to “pivot” the execution path based on gathered information. The Logic: Decision Branch Runbook Node provides a mechanism to specify the path of execution based upon some test or condition.

You can configure the Logic: Decision Branch Runbook Node to direct the path of execution through a specific Output based on a configured Condition. You can also configure multiple Output values to define different execution paths that match specific Condition values. Additionally, the Runbook supports a DEFAULT output to handle scenarios where no other condition matches.

For this Runbook, the Logic: Decision Branch Runbook Node is configured to determine two paths of execution:

Path-E2: The sub-path that is executed when alert_name: Low Disk Space.
Path-E3: (Default) The sub-path that is executed when an unknown alert_name is received (i.e. alert_name.NOT.Low Disk Space)

Placement of the Logic: Decision Branch node on the canvas in the Runbook Editor

There are two methods to place the Logic: Decision Branch node in the canvas of the Runbook Editor.

Find Logic: Decision Branch in the palette on the left-side of the Runbook Editor and drag it onto the canvas to the right of the Variables: Set Primitive Variable node:
1. the Variables: Set Primitive Variable node, as well as all preceding Runbook Nodes in the path of execution, will provide the data and context input for the Logic: Decision Branch node. Connect the data flow from Variables: Set Primitive Variable to Logic: Decision Branch
Alternatively, click on plus sign on the Variables: Set Primitive Variable node (already on the canvas) to reveal a pop-up menu of relevant nodes. Then, find and select the Logic: Decision Branch node.

NOTE: this method automatically connects the data flow from Variables: Set Primitive Variable to Logic: Decision Branch.

Logic: Decision Branch: Placement on the canvas

Configuration of the Node to direct path of execution based on a Condition

NOTE: Prerequisite Runbook runtime variables are assumed to have already been defined.

The Logic: Decision Branch node, is configured to determine path of execution based on the requested Alert (i.e. the setting for the variable runtime.alert_name that was parsed out of the HTTP-Request Body that initiated this Runbook execution):

In the Logic: Decision Branch editor card on the right, go to the OUTPUT area:
1. Use the Add An Output control to configure an OUTPUT that will identify a specific path of execution for scenarios where runtime.alert_name: Low Disk Space:
  1. Click the Add a Condition sub-control to configure the condition for following this path of execution as:
    1. Select Variables from the pick list.
    2. Select Variable: runtime.alert_name from the pick list.
    3. Select Operation: equals.
    4. Specify the value that must be matched to follow this path of execution (i.e. change “Click to add value” to “Low Disk Space”.)
In the Logic: Decision Branch editor card on the right, go to the OUTPUT area and:
1. Use the Add A Default Output control to configure a DEFAULT output that will identify the default path of execution for scenarios where runtime.alert_name is unknown.
Click “Save & Close” to save this node configuration.

Logic: Decision Branch: Configured (and Customized)

Path-E2: Logic sub-path that is executed when [alert_name: Low Disk Space]

E2: Functions: Transform - Get Alert Detail and Remediation Action

You can use the Functions: Transform node to format data needed by a Runbook automation into a JSON format. The Runbook can use that JSON data to provide native input to another node.

For example, if transforming a set of Runbook runtime variables into a JSON format. The transformation is performed according to the Transform Template defined in the Functions: Transform node.

Place the Functions: Transform node on the canvas in the Runbook Editor

There are two methods to place the Functions: Transform node in the canvas of the Runbook Editor.

Find Functions: Transform in the palette on the left-side of the Runbook Editor and drag it onto the canvas to the right of the Logic: Decision Branch node:
1. The Logic: Decision Branch node is precursor for the Functions: Transform node, and the Functions: Transform node is the first node in the sub-path for processing of a known Alert (i.e. alert_name: Low Disk Space). Connect the data flow from Logic: Decision Branch to Functions: Transform
Alternatively, click on the plus sign on the Logic: Decision Branch node for first Output (already on the canvas) to reveal a pop-up menu of relevant nodes. Then, find and select the Functions: Transform node.

NOTE: this method automatically connects the data flow from Variables: Set Primitive Variable to Functions: Transform.

Functions: Transform: Properties Blade

E2: Configuration of the Node to format the specified Runbook runtime variables into a JSON-format

NOTE: Prerequisite Runbook runtime variables are assumed to have already been defined.

The Functions: Transform node, must be configured to format desired predefined Runbook runtime-variables into a JSON-format:

In the Functions: Transform editor card on the right, the “Transform Template” area must first be configured with a Liquid template that defines creation of new OUTPUT DATA PROPERTIES and the mapping of associated runtime-variables:

NOTE: This area of the node configuration uses Liquid-templates to define data formats. Refer to Working With Liquid Templates.

For this workflow, use the following Liquid-template to map the target Runbook runtime variables into a JSON format. (The following Liquid-template can be copy-pasted into the TEMPLATE-panel)

Click to reveal the template

Copy

{
"data": [
{
"keys": {
"Alert_Name": "{{variables["runtime.alert_name"]}}",
"Alert_Event_Name": "{{variables["runtime.alert_event_name"]}}",
"Date": "{{variables["runtime.alert_timestamp_epoch"] | date: '%Y-%m-%d--%H-%M-%S'}}",
"Event_Details": "{{variables["runtime.last_event_details"]}}",
"Category": "{{variables["runtime.category"]}}",
"Device_Type": "{{variables["runtime.device_type"]}}",
"Device_Manufacturer": "{{variables["runtime.device_manufacturer"]}}",
"Device_Model": "{{variables["runtime.device_model"]}}",
"Username": "{{variables["runtime.username"]}}",
"Action_Name": "{{variables["runtime.actionName"]}}",
},
"data": {}
}
],
"info": {
"keys": [
{
"id": "Alert_Name",
"label": "Alert Name",
"type": "string",
"unit": ""
},
{
"id": "Alert_Event_Name",
"label": "Alert Event Name",
"type": "string",
"unit": ""
},
{
"id": "Date",
"label": "Date",
"type": "string",
"unit": ""
},
{
"id": "Event_Details",
"label": "Event Details",
"type": "string",
"unit": ""
},
{
"id": "Category",
"label": "Category",
"type": "string",
"unit": ""
},
{
"id": "Device_Type",
"label": "Device Type",
"type": "string",
"unit": ""
},
{
"id": "Device_Manufacturer",
"label": "Device Manufacturer",
"type": "string",
"unit": ""
},
{
"id": "Device_Model",
"label": "Device Model",
"type": "string",
"unit": ""
},
{
"id": "Username",
"label": "Username",
"type": "string",
"unit": ""
},
{
"id": "Action_Name",
"label": "Action Name",
"type": "string",
"unit": ""
}
],
"metrics": []
}
}

Next, in the Functions: Transform editor card on the right, go to the OUTPUT DATA PROPERTIES area and add a Property for each of the target Runbook runtime variables (i.e. enter the Name, Type, and Unit as appropriate for each):

Click “Save & Close” to save this node configuration.

F2: Visualizations: Table - Display Alert and Remediation Detail

This Runbook uses the Visualizations: Table node to surface summary information about the SDA Alert that triggered this specific Runbook execution. The information collected includes the following:

Table
Pie Chart
Bar Chart
Timeseries Chart
Bubble Chart
Correlation Chart
Cards
Gauges
Connection Graph
Debug
Text

This Runbook uses the Visualizations: Table node to surface more detailed information about the SDA Alert that triggered the specific Runbook execution and the associated Remediation Action. The information collected includes:

Alert Name
Username
Action Name

Place the Visualizations: Table node on the canvas in the Runbook Editor

There are two methods to place the Visualizations: Table node in the canvas of the Runbook Editor.

Find Visualizations: Table in the palette on the left side of the Runbook Editor and drag it onto the canvas to the right of the Functions: Transform node:
1. The Functions: Transform node will provide JSON formatted information as input for the Visualizations: Table node. Connect the data flow from Functions: Transform to Visualizations: Table.
Alternatively, click on the plus sign on the Functions: Transform node (already on the canvas) to reveal a pop-up menu of relevant nodes. Then, find and select the Visualizations: Table node.

NOTE: this method automatically connects the data flow from Functions: Transform to Visualizations: Table.

Visualizations: Table: Placement on the canvas

Configuration of the Node to surface the desired information

By default, the Visualizations: Table node will be configured to surface all JSON parameters passed from the preceding node.

The Visualizations: Table node can also be configured to only surface certain JSON parameters passed from the preceding node:

In the Visualizations: Table editor card on the right:
1. Go to the “Table Columns” area to review the available JSON parameters and remove any parameters that do not need to be surfaced.
2. Go to the “Sort Column” area to set the desired sort-column and the desired sort-order.
3. Make any other desired changes.
Click “Save & Close” to save this node configuration.

Path-E3: Logic sub-path that is executed when an unspecified alert_name is received

E3: Visualizations: Text - Display Unknown Alert

Table
Pie Chart
Bar Chart
Timeseries Chart
Bubble Chart
Correlation Chart
Cards
Gauges
Connection Graph
Debug
Text

This Runbook uses the Visualizations: Text node to log the occurrence of an unknown Alert:

Alert Name

E3: Placement of the Visualizations: Text on the canvas in the Runbook Editor

There are two methods to place the Visualizations: Text node in the canvas of the Runbook Editor.

Find Visualizations: Text in the palette on the left-side of the Runbook Editor and drag it onto the canvas to the right of the Logic: Decision Branch node:
1. The Logic: Decision Branch node will provide JSON formatted information as input for the Visualizations: Text node. Connect the data flow from Logic: Decision Branch.OUTPUT: Default to Visualizations: Text.
Alternatively, click on the plus sign on the Logic: Decision Branch.OUTPUT: Default (already on the canvas) to reveal a pop-up menu of relevant nodes. Then, find and select the Visualizations: Text node.

NOTE: this method automatically connects the data flow from Logic: Decision Branch to Visualizations: Text.

Configuration of the Node to surface the desired information

By default, the Visualizations: Text node will be configured to surface the unknown Alert Name parsed from the HTTP-Request Body:

In the Visualizations: Text editor-card on the right:
1. Go to the “Notes” area and specify the Alert-log to be surfaced, (e.g. display the value stored in variable runtime.alert_name):

No matching logic for "{{variables"runtime.alert_name"}}"

Click “Save & Close” to save this node configuration.

The Visualizations: Text is configured to surface Unknown Alert Name similar to:

Previous Step