Components

as an orchestrator, turbine offers two helpful options for building components you can either use a swimlane built component, if it meets your needs, to save time and effort to achieve a desired outcome, or you can build and customize your own reusable component customizing components that exist in your component library saves you time recreating or duplicating work, copying a component and modifying as needed, and provides desired outcome flexibility components, also known as vendor interaction components (vics), focus on the intent of the vendor action vendor apis send data in differing formats that data needs to be in common data formats for best practices use components to set an intent, then configure vendor specific details turbine components focus on ingestion enrichment why use ingestion components turbine ingestion components get data from third party tools and transform that data into appropriate open cybersecurity schema framework (oscf)/turbine extendable dataschema (teds) objects using ingestion components provides preconfigured intents for your playbook framework to reduce time building allows mass data ingestion uses ingested data downstream in the playbook and/or the promoted results for use outside the playbook why use enrichment components turbine enrichment components ingest data from third party tools and transform data into appropriate oscf/teds objects to improve incident response investigations for threat hunting benefits of components reusability components can be reused across multiple playbooks, allowing you to avoid duplicating effort when building workflows modularity components break complex workflows into smaller, manageable sections, making it easier to maintain and update workflows customizability both swimlane built and user made components can be customized to fit your organization’s specific requirements efficiency pre built components can save time when creating workflows, allowing you to quickly implement frequently used functionality as an orchestrator, turbine offers two helpful options for building components you can either use a swimlane built component, if it meets your needs, to save time and effort to achieve a desired outcome, or you can build and customize your own reusable component customizing components that exist in your component library saves you time recreating or duplicating work, copying a component and modifying as needed, and provides desired outcome flexibility limitations limit value actions on the canvas no fixed maximum; add as many actions as your workflow requires component nesting depth up to 10 levels deep loop nesting depth up to 5 levels deep component run timeout (default) 4 hours total from start; extends by up to 1 hour per period of job activity component run timeout (maximum) 24 hours when set in the component manifest individual action timeout (default) 15 minutes for connector and most native actions action input and output size 20 mib per action component name length 50 characters maximum component name characters letters, numbers, and underscore only ( a–z , a–z , 0–9 , ) component description length 255 characters maximum for the full timeout and limit reference, see timeouts and limits /orchestration/playbooks/timeouts%20and%20limits md if a component name exceeds 50 characters or includes characters other than letters, numbers, or underscores, save can fail with an error shorten the name or replace spaces and special characters with underscores before you save you can edit the name on the component details panel summary tab at any time components homepage to access components, follow these steps log in to turbine from the left hand navigation pane, click orchestration and click components from the components homepage, you can see feature function title the component name shown for each swimlane content or user made component (same value as the name field) interface existing interfaces source custom (user made) or swimlane content updates recent updates made to the component search enter keyword(s) to search for a component filter use to sort by source, interface, or created by sort by use to sort by last modified, last created, or alphabetical arrow icon click to modify view between ascending results and descending results ellipsis icon click to export or delete plus icon click to open new component dialog new and define new component component there are a few ways to engage with turbine components as seen above, from the components homepage, you create a new component from a series of actions in a workflow or use pre built components from the turbine content before looking at those, let us review the component canvas user interface (ui) the component canvas operates on a drag and drop functionality to the left, the add panel provides a list of actions and components (pre built and user made) the add panel is where you can view, search, filter, sort, and/or drag and drop actions and components components can be filtered by user made sorted by source or interface the component default view is alphabetical by user made, where you can easily expand or collapse the list to add a component, click on the desired component, then drag to the plus icon to the expanding responsive drop zone repeat to add additional components defining terms and icons the table shows the icon and meaning for the component toolbar icon meaning image\[]{src=" https //archbee image uploads s3 amazonaws com/511c8qbh vhiwwnyziwub/cztltxr6jrmpk6lyvg6xf component hide show add pane png https //archbee image uploads s3 amazonaws com/511c8qbh vhiwwnyziwub/cztltxr6jrmpk6lyvg6xf component hide show add pane png " size="10" width="800" height="828" darkwidth="800" darkheight="828" position="flex start"} show/hide the add panel image\[]{src=" https //app archbee com/api/optimize/511c8qbh vhiwwnyziwub/qm8rpyqjtlu1spfgub7z9 component create component icon png https //app archbee com/api/optimize/511c8qbh vhiwwnyziwub/qm8rpyqjtlu1spfgub7z9 component create component icon png " size="10" width="34" height="30" position="flex start" darkwidth="34" darkheight="30"} create a component from actions on the canvas image\[]{src=" https //app archbee com/api/optimize/511c8qbh vhiwwnyziwub/xzhvcg rridzhpkh5pwiz component zoom icon png https //app archbee com/api/optimize/511c8qbh vhiwwnyziwub/xzhvcg rridzhpkh5pwiz component zoom icon png " size="10" width="67" height="26" position="flex start" darkwidth="67" darkheight="26"} zoom drop down menu image\[]{src=" https //app archbee com/api/optimize/511c8qbh vhiwwnyziwub/6zb uwuwud4tukrdcd3bf component show hide component details icon png https //app archbee com/api/optimize/511c8qbh vhiwwnyziwub/6zb uwuwud4tukrdcd3bf component show hide component details icon png " size="10" width="29" height="30" position="flex start" darkwidth="29" darkheight="30"} show/hide the component details panel image\[]{src=" https //app archbee com/api/optimize/511c8qbh vhiwwnyziwub/f5eepgymdb8s6a9rna i5 component test console icon png https //app archbee com/api/optimize/511c8qbh vhiwwnyziwub/f5eepgymdb8s6a9rna i5 component test console icon png " size="10" width="29" height="30" position="flex start" darkwidth="29" darkheight="30"} open test console at the bottom of the window image\[]{src=" https //app archbee com/api/optimize/511c8qbh vhiwwnyziwub/0yyztuodvdmhsp5w0dlqn component ellipsis icon png https //app archbee com/api/optimize/511c8qbh vhiwwnyziwub/0yyztuodvdmhsp5w0dlqn component ellipsis icon png " size="10" width="29" height="30" position="flex start" darkwidth="29" darkheight="30"} shows options to export, duplicate, or delete a component create component from homepage to create a new, user made component, follow these steps from the components homepage, click the plus icon the new component dialog opens where you must enter a name and can add a description the name can be up to 50 characters and must contain only letters, numbers, and underscores see limitations /#limitations for the full rules click save to create the component and open the component canvas if you do not want a component, you can always use the navigation pane to click library , then components from there, click the ellipsis icon next to the component, and click delete after you click delete , you receive a confirmation dialog once you delete, you cannot undo this step click the mouse icon and hold the dialog closes once the deletion is complete referring back to step 2, now that the component canvas is open, use the add panel to find the two crowdstrike vendor actions get ids and get incident details the example below walks you through the process of finding and adding the actions to the canvas from the add panel , ensure the actions tab is selected and the sort drop down has vendor for a quick search, filter by vendor click the filter icon and select crowdstrike the results show only the crowdstrike actions scroll through and select the desired actions, then click and drag each action onto the canvas you've successfully added actions to the component from here you can add/delete actions, configure, and/or modify them later the component is always accessible under user made components and in your content library save your work frequently! swimlane components components, also known as vendor interaction components (vics), focus on the intent of the vendor action vendor apis send data in differing formats that data needs to be in common data formats for best practices use components to set an intent, then configure vendor specific details turbine components focus on ingestion enrichment why use swimlane content components turbine ingestion components get data from with turbine extendable data schema (teds) using ingestion components provides preconfigured intents for your playbook framework to reduce time building allows mass data ingestion uses ingested data downstream in the playbook and/or the promoted results for use outside the playbook why use swimlane content components turbine enrichment components ingest data from third party tools and transform data into appropriate ocsf/sos objects to improve incident response investigations for threat hunting to select a preconfigured component, click on library and click swimlane content the swimlane content homepage opens and you can scroll down to the components section click install to download the desired component, and then access it by either your user content library, or from the components tab in the add panel on your playbook canvas component details when creating a component, anytime you click on the canvas, the component details panel displays in the right hand side the table below describes the individual component detail tabs tab details summary has the component name (editable; same limits as limitations /#limitations ), schema (if applied), description, source type, and button to create a copy assets shows the connectors that have assets these drop downs could be empty you can use this drop down to also select and apply an asset to a connector data shows interface image, pre set or user defined interface and drop down menu, inputs/outputs, configure hyperlink associations shows the number of dependent playbooks or components this panel is available whether you get a component from the swimlane content or if you create one yourself hero ai visibility options i want to… topic edit a component on the canvas with natural language create and modify components with hero ai https //app archbee com/docs/wdlpsa7glls1ghfgxbo9d/ikukotgcorzumuwb jdsb ( component building mode ) run a component from the general companion chat how hero ai executes components # understand companion vs building modes hero ai companion https //app archbee com/docs/wdlpsa7glls1ghfgxbo9d/crqkfvngpcz wj8xthds7#hero ai modes and context for guidance on names, descriptions, and interfaces that work well with hero ai and ai soc, see ai friendly component best practices # visible to hero ai enables the general companion to discover and run this component from chat default state is off this is not the same as component building mode , which edits the component on the canvas when the component builder is open when this setting is enabled, components cannot support attachments as an input type users will see an error when trying to save requires confirmation to execute when enabled, hero ai prompts the user to confirm execution before running the component this is automatically enabled when visible to hero ai is toggled on you can manually disable it for safe to run components how to configure go to component details and open the summary tab toggle visible to hero ai to on optionally, disable requires confirmation to execute if the component should run automatically save the component data interfaces interfaces define the expected data structure for a component, enabling components to be easily swapped without breaking data mappings when two components use the same interface, you can replace one with the other and preserve all mapped input and output fields each interface specifies what inputs a component accepts and what outputs it produces, promoting consistency and simplifying reuse across the canvas for example, a remediation interface might require fields such as observable and action type , ensuring that compatible components can be used interchangeably term definition defining characteristics component interface interface is the data shape that can be applied to turbine components used with components makes it so components can be easily swapped | to assign an interface navigate to orchestration and select components create or open a component in the component builder click the data tab in the component details panel under the interface section, choose from available interfaces like object to alert v1 0 2 or error to enrichment v1 0 2 warning if you switch from a predefined interface to user defined , a dialog appears prompting you to either transfer available mappings into custom defined fields, or clear all mappings and start with a blank configuration this action cannot be undone, so review your current mappings before confirming user defined if none of the predefined interfaces match your use case, select user defined to manually configure the inputs and outputs using the component inputs manager this gives you full control over the data your component receives and returns supported input types include string – hostnames, file names, or email addresses number – severity scores, thresholds boolean – true/false flags object – structured fields with nested properties array – lists of strings, numbers, or objects attachment – file payloads or binary data once you save your configuration, these inputs appear under the inputs tab in the data panel and can be mapped like interface defined fields user made components from canvas from a playbook canvas, you can create a user made component create a playbook and add the desired use case actions let us say that you want to use the same set of tasks again in the current or another playbook the example below walks you through how to group actions into a component and ungroup the component, as needed scenario you have created a playbook with the purpose retrieving a list of emails and evaluating and conducting a url analysis the playbook canvas below shows the gmail list emails action followed by two downstream virustotal actions the analyse a url action and get analyses action in the future, you want to use the two virustotal actions to analyze a url to create the component from the canvas toolbar, click the create component icon each action now has a circle next to it select the desired steps to create your component and click create component click create component again when the new component window opens, enter the component name best practice is to name the component with the desired outcome or task the name can be up to 50 characters and must contain only letters, numbers, and underscores see limitations /#limitations in this case, since we want to analyze a url using only virustotal actions, enter virustotal analyze url , then click save you've successfully created a component inside a playbook canvas! this component is available in your components tab in the add panel and in your user content library what if you need to change the component? easy! the table shows the icon and meaning for the component toolbar icon meaning image\[]{src=" https //archbee image uploads s3 amazonaws com/511c8qbh vhiwwnyziwub/cztltxr6jrmpk6lyvg6xf component hide show add pane png https //archbee image uploads s3 amazonaws com/511c8qbh vhiwwnyziwub/cztltxr6jrmpk6lyvg6xf component hide show add pane png " size="10" width="800" height="828" darkwidth="800" darkheight="828" position="flex start"} show/hide the add panel image\[]{src=" https //app archbee com/api/optimize/511c8qbh vhiwwnyziwub/qm8rpyqjtlu1spfgub7z9 component create component icon png https //app archbee com/api/optimize/511c8qbh vhiwwnyziwub/qm8rpyqjtlu1spfgub7z9 component create component icon png " size="10" width="34" height="30" position="flex start" darkwidth="34" darkheight="30"} create a component from actions on the canvas image\[]{src=" https //app archbee com/api/optimize/511c8qbh vhiwwnyziwub/xzhvcg rridzhpkh5pwiz component zoom icon png https //app archbee com/api/optimize/511c8qbh vhiwwnyziwub/xzhvcg rridzhpkh5pwiz component zoom icon png " size="10" width="67" height="26" position="flex start" darkwidth="67" darkheight="26"} zoom drop down menu image\[]{src=" https //app archbee com/api/optimize/511c8qbh vhiwwnyziwub/6zb uwuwud4tukrdcd3bf component show hide component details icon png https //app archbee com/api/optimize/511c8qbh vhiwwnyziwub/6zb uwuwud4tukrdcd3bf component show hide component details icon png " size="10" width="29" height="30" position="flex start" darkwidth="29" darkheight="30"} show/hide the component details panel image\[]{src=" https //app archbee com/api/optimize/511c8qbh vhiwwnyziwub/f5eepgymdb8s6a9rna i5 component test console icon png https //app archbee com/api/optimize/511c8qbh vhiwwnyziwub/f5eepgymdb8s6a9rna i5 component test console icon png " size="10" width="29" height="30" position="flex start" darkwidth="29" darkheight="30"} open test console at the bottom of the window image\[]{src=" https //app archbee com/api/optimize/511c8qbh vhiwwnyziwub/0yyztuodvdmhsp5w0dlqn component ellipsis icon png https //app archbee com/api/optimize/511c8qbh vhiwwnyziwub/0yyztuodvdmhsp5w0dlqn component ellipsis icon png " size="10" width="29" height="30" position="flex start" darkwidth="29" darkheight="30"} shows options to export, duplicate, or delete a component if you choose to ungroup a component, it detaches it from the component library it splits the individual steps on the canvas, and where applicable, remove interface, inputs, and/or outputs a warning dialog opens and you must click continue