Playbook Step Library

Jump to Category InputTransformFilterQueryAnalyzeOutput

Ingest

The Ingest step is one of the root steps that can start a playbook. This step is what tells the playbook which feed of data it should receive. It directly links to the list of Data Feeds. Each Ingest step refers to one Data Feed, but multiple Ingest steps can start a playbook.

Details Step: Ingest


Schedule

The Schedule step is one of the root steps that can start a playbook. This one allows a playbook to run on a schedule, as defined in the Data Feeds view.

Details Step: Schedule


Playbook

The Playbook step is one of the root steps that can start a playbook. This step used with the Run Playbook step to create sub-playbooks. Playbooks using this input are activated by other playbooks.

(DarkLight 3.4 and up)

Details Step: Playbook


Subscribe

This step starts a PRO Playbook by receiving packages that have a specific rdf:type as one of the properties of the primary graph. The Subscribe step only received packages that have been sent by the Broadcast step. An individual package will only be subscribed to once, to prevent looping.


Requires a graph object

Requires Broadcast step from another playbook

Details Step: Subscribe


Taxii 2 Ingest

The Taxii 2 Ingest step is one of the root steps that can start a playbook. This step receives JSON data from servers configured on the Taxii2 Configuration view.

Details Step: Taxii 2 Ingest

Base64

Encode and Decode a text string to and from Base64.


Allows FreeMarker Expressions

Operates on table variable values

Details Step: Base64


Calculate

Performs math operations on a value in one of the variables in the table data of the package.


Operates on table variable values

Allows Freemarker templates to select values

Details Step: Calculate


Calculate Statistics

This step allows playbooks to utilize statistical analysis of data that has gone through previous analysis. By defining a data set specification type and supporting fields per specification, a sample set of data that has been persisted may be used to find a number of statistics to describe that data.

Details Step: Calculate Statistics


Convert CSV to Table

Converts a string stored in a variable by another step (e.g. Download File) to a table by splitting each line to create table row, and splitting on a delimiter (e.g. comma, pipe, etc.) to create columns in the row.

If the intended use of this step is to turn each row of this table into a graph, follow it with the Split Package by Table Row step and the Reify Table Row step.


Operates on table variable values

Allows Freemarker templates to select values

Use only with input that has line returns. To convert a single row of CSV to a table, use the Convert CSV to Table Row step.

Details Step: Convert CSV to Table (multi-line)


JSONPath

This step evaluates a JSONPath expression against a JSON object and stores results in package.


Stores data in a package table variable

Details Step: JSONPath


Normalize Date

This step converts a date from one format to another, either automatically choosing from a set of built-in patterns, or from one you specify. The output format can also be specified by you.


Operates on table variable values

Allows Freemarker templates to reference values

Details Step: Normalize Date


RegEx (Regular Expression)

Performs a regular expression (regex) on a value, typically to extract or rearrange characters in a string. The step allows for capturing groups and only using a subset of them in the output. A useful reference for regex syntax is at http://regexr.com


Operates on table variable values

Allows Freemarker templates to select values

Details Step: Regex (Regular Expression)


Reify JSON Object

This step sends a JSON message from the package table variable to a Reify Configuration to convert it into a graph. The most frequent use is to convert an incoming JSON event from a message queue (called rawInput in the package) into a graph (called _default_).


Operates on a table variable

Creates a graph

Requires a Reify Configuration to know how to process the JSON

Details Step: Reify JSON Object


Reify Multiple JSON Objects

This step sends the results of a JSONPath statement from the package table variable to a Reify Configuration to convert any JSON objects into graphs. This is a useful step if a download or query has returned multiple results and you want to turn each of them into a graph. This step is typically followed by Step: Split Package to send each result down the rest of the steps.


Operates on a table variable

Creates a graph with multiple objects

Requires a Reify Configuration to know how to process the JSON

Details Step: Reify Multiple JSON Objects


Reify Table Row

This step sends a table row (array) from the package table variable to a Reify Configuration to convert it into a graph. This step is typically used after a Split Package step that splits apart the package on each row in a multi-row table. It uses the "Table" version of the Reify Configuration.


Operates on a table variable

Creates a graph with one object

Requires a Table Reify Configuration to know how to process the table row

Details Step: Reify Table Row


Replace Text

Search and Replace text inside a saved variable.


Allows FreeMarker Expressions

Operates on table variable values

Stores data in a package table variable

Details Step: Replace Text


SHA-256

Encode a text string and public key with SHA-256 to create an HMAC. Output can be stored as either Base64 or HEX characters.


Allows FreeMarker Expressions

Operates on table variable values

Details Step: SHA-256


Split Text

Converts a string stored in a variable by another step to a list by splitting on a delimiter (e.g. comma, pipe, line ending, etc.). Uses include converting a single CSV string to a single-row table, or separating a string on line returns to create a list of strings that can then be processed individually by using the Split Package step.


Operates on table variables

To convert a multi-row CSV to a table, use the Convert CSV to Table step.

Details Step: Split Text


Text Operations

Manipulate text (trim whitespace, change case, etc.)


Operates on table variable values

Stores data in a package table variable

Details Step: Text Operations


XPath

Perform xpath operation and store the resulting data in the package.


Operates on table variable values

Allows Freemarker templates to select values

Uses XPath syntax

Details Step: XPath

Graph CIDR Collection Filter

This step compares a data property from your default graph against a collection that contains data in CIDR (Classless Inter-Domain Routing) format. Multiple conditions can be applied and combined with an AND or an OR. If the conditions match, the package continues down the True [+] side of the step. If the conditions do not match, the package continues down the False [-] side.


Operates on the package graph

Uses CIDR Notation for IP Addresses

Requires a String Collection

Details Step: Graph CIDR Collection Filter


Graph CIDR Filter

This step compares a data property from your default graph against a string (text) in CIDR (Classless Inter-Domain Routing) format. Multiple conditions can be applied and combined with an AND or an OR. If the conditions match, the package continues down the True [+] side of the step. If the conditions do not match, the package continues down the False [-] side.


Operates on the package graph

Uses CIDR Notation for IP Addresses

Details Step: Graph CIDR Filter


Graph String Collection Filter

This step compares a data property from your default graph against a collection that contains strings (text). Multiple conditions can be applied and combined with an AND or an OR. If the conditions match, the package continues down the True [+] side of the step. If the conditions do not match, the package continues down the False [-] side.


Operates on the package graph

Requires a String Collection

Details Step: Graph String Collection Filter


Graph String Filter

This step compares a data property from your default graph against a string (text) or package variable value. Multiple conditions can be applied and combined with an AND or an OR. If the conditions match, the package continues down the True [+] side of the step. If the conditions do not match, the package continues down the False [-] side.


Operates on the package graph - only on the primary object

Allows Freemarker Template Expressions

Details Step: Graph String Filter


Graph Time of Day Filter

This step allows the playbook to filter the package based on the time of day of a data property in the graph. The syntax for specifying the time of day utilizes time zones.


Operates on a reified graph.

Details Step: Graph Time of day Filter


Value CIDR Collection Filter

This step compares a package table value against a collection that contains data in CIDR (Classless Inter-Domain Routing) format. Multiple conditions can be applied and combined with an AND or an OR. If the conditions match, the package continues down the True [+] side of the step. If the conditions do not match, the package continues down the False [-] side.


Operates on a package table variable

Uses CIDR Notation for IP Addresses

Requires a String Collection

Details Step: Value CIDR Collection Filter


Value Number Filter

This step allows the playbook to filter in or out specific combinations of numeric comparisons. It operates on the variables in the package table using FreeMarker expressions. Only one value can be compared per step, but multiple comparisons can be combined for that value.


Operates on values in the package table variables.

Allows FreeMarker Expressions

Details Step: Value Number Filter


Value String Collection Filter

This step compares a package table value against a collection of strings (text). Multiple conditions can be applied and combined with an AND or an OR. If the conditions match, the package continues down the True [+] side of the step. If the conditions do not match, the package continues down the False [-] side.


Operates on a package table variable

Requires a String Collection

Details Step: Value String Collection Filter


Value String Filter

This step allows the playbook to filter in or out specific combinations of comparisons. It operates on the variables in the package table using FreeMarker expressions. Only one value can be compared per step, but multiple comparisons can be combined for that value.


Operates on values in the package table variables.

Allows FreeMarker Expressions

Details Step: Value String Filter

Cortex

This step lets you send a query to the Cortex API service on your local system using your account's name and API key. The step utilizes the Web Data Source to set up the connection, and uses the same interface Cortex does to send content from your playbook to a Cortex Analyzer. Responses are stored in package table variables to be used in other steps. (Introduced in DarkLight 5.7)


Can use table variable values

Allows FreeMarker Expressions

Requires local installation of Cortex and configured Analyzers

Details Step: Cortex


FreshService

This step lets you send a query to the FreshService API service using your account's API key and password. The step utilizes the Web Data Source to set up the connection, and then allows both GET and POST requests to FreshService. Responses are stored in package table variables to be used in other steps. (Introduced in DarkLight 5.7.1)


Can use table variable values

Allows FreeMarker Expressions

Requires FreshService API Key

Details Step: FreshService


Download File

The Download File step lets you bring data into the package from an internet URL. The data is stored in one package variable, and the response code back from the server (e.g. 404 Not Found) can be stored in another variable.


Stores data in a package table variable

Details Step: Download File


NSLookup (DNS)

NSLookup will lookup the name server that the domain belongs to and stores the results in the package.


Operates on a reified package graph

Stores data in a package table variable

Allows FreeMarker Expressions

Details Step: NSLookup


Query Knowledge Base

This step allows you to perform queries on any registered RDF graph database Data Sources (e.g., Working Memory, Contextual Memory) that take actions such as extracting values to store as variables in the package table, creating new connections in the graph, deleting sections of the graph, and asking the graph if a specific connection exists. Common uses for this step include finding and attaching related graph objects from contextual memory and comparing the current event with previous events already published to working memory.


Operates on a reified package graph

Uses SPARQL Query syntax

Details Step: Query Knowledge Base


Query LDAP

Perform an LDAP query and save the results to a variable in the package. This step is very useful in pulling User and Device information from Active Directory.


Stores data in a package table variable

Uses LDAP Query syntax

Details Step: Query LDAP


Query Elasticsearch

This step allows you to perform queries on Elasticsearch databases based on the Elasticsearch indexing field. Common objectives of this step include saving results of an Elasticsearch query to package variable.


Operates on a reified package graph

Uses Elasticsearch Query syntax

Details Step: Query Elasticsearch


Query Package

This step allows you to perform queries on the package graph that take actions such as extracting values to store as variables in the package table, creating new connections in the graph, deleting sections of the graph, and asking the graph if a specific connection exists. The Query Package step is the primary method to create package variables that can be used in other steps, like the Send E-mail step.


Operates on a reified package graph

Uses SPARQL Query syntax

Details Step: Query Package


Query Splunk

Perform a splunk query and save the results to a variable in the package


Stores data in a package table variable

Operates on a reified package graph

Uses Splunk Search Processing Language (SPL) syntax

Details Step: Query Splunk


Query SQL Database

This step allows you to perform queries on any registered SQL graph database Data Sources (e.g., PostgreSQL or MySQL) for SELECT, UPDATE, DELETE, and INSERT queries.


Uses SQL Query syntax

Details Step: Query SQL Database


Query XML/STIX

Sends an X-Query using X-Query syntax to the XML/STIX database.


Stores data in a package table variable

Uses X-Query syntax

Details Step: Query XML/STIX


ThreatConnect

This step lets you send a query to the ThreatConnect API service using your account's API key and password. The step utilizes the Web Data Source to set up the connection, and then allows both GET and POST requests to ThreatConnect. Responses are stored in package table variables to be used in other steps. (Introduced in DarkLight 5.3.1)


Can use table variable values

Allows FreeMarker Expressions

Requires ThreatConnect API Key

Details Step: ThreatConnect



Web Request

The Web Request step sends data from the package to a remote location on the internet. Options include GET, POST/PUT, and DELETE. Variables can be assigned to collect information returned from the remote server and to collect any response codes.


Can use table variable values

Allows FreeMarker Expressions

Details Step: Web Request

WHOIS Lookup

Stores results of a WHOIS lookup in the package as a value.


Operates on a reified package graph

Stores data in a package table variable

Allows FreeMarker Expressions

Details Step: WHOIS Lookup

Add Type

Assigns an rdf:Type (Class) to the primary object in the graph. This is used to explicitly type the object as a certain class in an ontology. If a reasoner is run after this step, more types may be inferred and added, too. Types are applied to the graph object during the Publish step.


Operates on graph objects

Details Step: Add Type


Change Publish Object

As the package progresses through the playbook steps, graph objects can be added or created. By default, the publish step keeps track of the IRI on the first object in the _default_ graph. (This object is sometimes referred to as the primary individual.) Sometimes you need to publish something other than the original object. This step allows you to enter the IRI of the object you would like to become the publish object (primary individual). It is typically used with the Set Value step to generate an IRI and store it as a variable.


Can use FreeMarker Expressions

Operates on the package graph

Details Step: Change Publish Object


Clear Package Graph

Use this step when you have a graph in the package that you want to keep but remove any objects and their properties. If you want to remove the graph completely, use Step: Delete Package Graph

Details Step: Clear Package Graph


Clear Package Variables

Allows the playbook to delete the values assigned to one or more variables in the package. This is typically used to reduce the size of a package to allow for more efficient processing.


Operates on table variable values

Details Step: Clear Package Variables


Combine Packages

This step merges together any packages from the same playbook that have been separated, either from the Split Package step or from one step pointing to two or more steps downstream. Any graphs with the same name are merged together, and any package variables with the same name are combined into an array (table) or optionally it will only keep the first value returned for each variable.

Details Step: Combine Packages


Create New Object

This step creates an object and graph with either a generated ID or one made from Freemarker expressions.


Uses FreeMarker Expressions

Details Step: Create New Object


Delete Package Graph

Use this step when you have a graph in the package that you want to delete. If you want to keep the graph but clear its contents, use Step: Clear Package Graph

Details Step: Delete Package Graph


Edit Collection

Add or a remove a text (string) value (or list of values) to or from a String Collection


Operates on table variable values

Allows Freemarker templates to select values

Details Step: Edit Collection


Reason

Use selected ontology rules to apply reasoning to one or more graphs in the package. A Construct query will (if available) add classes and properties to the graph. A Select query will return values from the ontology items.


Operates on a reified package graph

Uses SPARQL Query syntax

Details Step: Reason


Set Value

This step can create a new variable in the package table. The value of the variable that is set can be either a string or integer, or it can use Freemarker template expressions to create new variables based on existing variable values.


Operates on table variable values

Allows Freemarker templates to reference values

Details Step: Set Value

Split Package

Splits the current package containing a multi-valued variable into multiple output packages for each value. Result output packages will not contain the original multi-valued variable. Use this step to perform the same steps to each item in a list.


Operates on table variable values

Details Step: Split Package

Broadcast

The Broadcast step sends the package out to other playbooks that subscribe to it. The entire package is broadcast regardless of what changes have been made to it in the playbook. The subscribing playbook looks for an rdf:type on the reified graph in the package.


Requires a graph object

Details Step: Broadcast


Execute Task

This step lets you execute a script on your local system and pass it parameters from the package table variables.


Can use table variable values

Allows FreeMarker Expressions

Details Step: Execute Task


Generate OpenC2 Message

This step is used to create a properly-formatted JSON output that can be sent to an OpenC2-compliant appliance or software.


Can use table variable values

Allows FreeMarker Expressions

Based on an HTML interface from GitHub user netcoredor under the AGPL v3 license.

Details Step: Generate OpenC2 Message


Post to Slack

This output step uses Slack's Webhook functionality to send a customized message to your company Slack channel.


Allows FreeMarker Expressions

Requires Slack Data Source

Details Step: Post to Slack


Publish

This step will publish the contents of the _default_ graph to Working Memory, Contextual Memory, or another RDF Data Source you have configured.

Operates on a reified package graph

Details Step: Publish to Knowledge Base


Save Package

Writes package to json data file on disk at specified location. This can be a very useful step when troubleshooting a playbook. Also see the Inventory View for troubleshooting help.


Allows FreeMarker Expressions in the filename

Details Step: Save Package


Send E-Mail

This step sends an e-mail from the playbook using your e-mail server. It can be customized by using FreeMarker values to use data from the event, typically collected in a Package Query.


Can use table variable values

Allows Freemarker expressions to reference values

Details Step: Send E-mail


Send to JMS

Send the contents of a package variable to a Java Message Service queue or topic at a specified URL.


Can use table variable values

Allows FreeMarker Expressions

Details Step: Send To JMS


Send to Kafka

Send a package variable to a Kafka Data Source.


Can use table variable values

Allows FreeMarker Expressions

Details Step: Send To Kafka

  • step/start
  • Last modified: 2019/08/02 00:11