Lesson 4: Use Decision Steps

Need to build a workflow that can run different steps depending on the data the workflow receives? Use Decision Steps to create ‘paths’ of steps that the workflow will execute depending on the decisions of your human team members or through automation. This lesson will help you understand how to map your security processes to multiple paths, and how to give your team manual control when you need human intervention in an automated process.

Add a Human Decision Step

To sample using a human decision:

  1. Fire up your Welcome Workflow in the Workflow Builder.

If you can’t find your Welcome Workflow in the Drafts page, create a new draft from the active version of the workflow, or check the Inactive Workflows page.

At this point, your Welcome Workflow should have an API trigger, a Whois action step, and an artifact step.

  1. Add a new step before the Welcome Artifact.
  2. Select Decision from the options that appear,.
  3. Name the step Updated 2019?.
  4. Select the Human tab under the “Input” section.
  5. For the first path, enter Not Updated 2019 for the path name and optionally add Whois record not in 2019 for the description.
  6. For the second path, enter Updated 2019 for the path name and optionally add Whois record updated in 2019 for the description.
  7. Click Continue. The Welcome Artifact should now be under the “Not Updated 2019” path of the workflow.
  8. Add a new artifact step under the “Updated 2019” path by clicking the + sign.
  9. Name the artifact 2019 Artifact. In the “Output Format” field, paste in
1
The Whois record for {{[Welcome Trigger].[domain]}} was updated in 2019 on {{[Whois Lookup].[last_updated]}}.

Click *Preview and Add Artifact to exit the configuration panel. 11. Click on the Welcome Artifact, then click the pencil icon that appears. 12. Rename the artifact to Not 2019 Artifact. In the “Output Format” field, paste in

1
The Whois record for {{[Welcome Trigger].[domain]}} was not updated in 2019. It was last updated on {{[Whois Lookup].[last_updated]}}.

Click *Preview and Add Artifact to exit the configuration panel.

Now test the workflow:

  1. Click Test, then type rapid7.com for the input.
  1. While the Job Status is Waiting, a decision panel will appear over the Job Details panel. Scroll through the Whois step output and locate the date in the “last_updated” field. In the decision panel, click on the corresponding option, which in this case is Updated 2019.
  2. Click Submit Decision. The test job will continue to process.
  3. When the “Job Status” changes to “Succeeded,” take a look at the Artifacts and Decisions tabs and observe the content in the cards.
  4. Click on the X in the upper right corner of the test “Job Details” panel, then click on the X in the “Test Workflow” panel.
  5. Test the workflow again with rapid7.com, but select Not Updated 2019 when prompted. From the Whois step output, we know that “rapid7.com” was in fact updated in 2019, but ignore this for now. We’ll show you how to automate this fact-checking in the next portion of this lesson.
  6. Observe the content in the new test job details, and how it differs from the details from the Updated 2019 selection.
  7. Optionally activate the workflow to make sure your changes are saved.

Change the Human Decision to an Automated Decision

With the Human Decision step, you tested how to incorporate human input within a workflow. However, with the second test (in Step 18), you were able to select an option that wasn’t correct. When you want to influence which path is taken over another but don’t want to introduce human error, you can use an Automated Decision type instead.

To sample using an automated decision:

  1. Open your Welcome Workflow in the Workflow Builder, and open the configuration details panel for the “Updated 2019?” decision step.
  2. Click on the Automated tab in the Input section to change the decision step type.
  3. Set the “Default Path” field to Not Updated 2019. InsightConnect will use the default path when your data does not meet the conditions that you defined for the other paths.
  4. Click Continue.
  5. Now configure the decision paths. In this tutorial, you only need to configure the “Updated 2019” path, as the “Not Updated 2019” default path will be followed in every case that the conditions for the “Updated 2019” path are not met. Decision paths require a query statement using our Query Language. Build the query in the “Updated 2019” field by clicking on the blue + sign. Select the Whois Lookup.last_updated variable, then type contains “2019” into the field after the variable.
  6. Click Continue.
  7. Test the workflow with rapid7.com again, then observe the artifacts and decisions for the test job. You should see an artifact titled “2019 Artifact.” Consider testing the workflow once more with other .com domains to see if the automated decision takes the other path and displays an artifact titled “Not 2019 Artifact.”
  8. Close the test job details panel and the test panel, then activate the workflow to make sure your changes are saved.

Congratulations! You created a decision step with two paths and learned the differences between configuration for human decisions and automated decisions.

Human decisions require your team to manually choose which path to take. You can create artifact steps before decision steps to provide your team with the data they need to make informed choices. Automated decisions use query logic, which are logic statements built in the InsightConnect Query Language.These logic statements tell your workflow which path to take. When deciding which decision type is better for your given case, think about what will help facilitate your team’s work best. Should the workflow be paused for your team to review the workflow data first? A human decision will help. Are you confident that certain paths should always be taken in some situations, like in the example in this lesson? Use an automated decision to direct where your data flows and what you do with it.

Although this example had simple paths that only displayed artifacts, decisions are excellent for paths with multiple steps. For example, if you needed to take further action on an email sent from a suspicious domain or IP, like quarantining the inbox or deleting emails sent from that IP across your organization, you could use the grey + sign in the workflow builder to add steps for each of these processes under the “Take Action” path.