Components

as an orchestrator, turbine offers two helpful options for building components you can either use a swimlane built component, if it meets your needs, to save time and effort to achieve a desired outcome, or you can build and customize your own reusable component customizing components that exist in your component library saves you time recreating or duplicating work, copying a component and modifying as needed, and provides desired outcome flexibility components, also known as vendor interaction components (vics), focus on the intent of the vendor action vendor apis send data in differing formats that data needs to be in common data formats for best practices use components to set an intent, then configure vendor specific details turbine components focus on ingestion enrichment why use ingestion components turbine ingestion components get data from third party tools and transform that data into appropriate open cybersecurity schema framework (oscf)/turbine extendable dataschema (teds) objects using ingestion components provides preconfigured intents for your playbook framework to reduce time building allows mass data ingestion uses ingested data downstream in the playbook and/or the promoted results for use outside the playbook why use enrichment components turbine enrichment components ingest data from third party tools and transform data into appropriate oscf/teds objects to improve incident response investigations for threat hunting benefits of components reusability components can be reused across multiple playbooks, allowing you to avoid duplicating effort when building workflows modularity components break complex workflows into smaller, manageable sections, making it easier to maintain and update workflows customizability both swimlane built and user made components can be customized to fit your organization’s specific requirements efficiency pre built components can save time when creating workflows, allowing you to quickly implement frequently used functionality as an orchestrator, turbine offers two helpful options for building components you can either use a swimlane built component, if it meets your needs, to save time and effort to achieve a desired outcome, or you can build and customize your own reusable component customizing components that exist in your component library saves you time recreating or duplicating work, copying a component and modifying as needed, and provides desired outcome flexibility components homepage to access components, follow these steps log in to turbine from the left hand navigation pane, click orchestration and click components from the components homepage, you can see feature function title the pre existing swimlane component, or the user made component title the component title field has a maximum character limit of 50 characters interface existing interfaces source custom (user made) or swimlane content updates recent updates made to the component search enter keyword(s) to search for a component filter use to sort by source, interface, or created by sort by use to sort by last modified, last created, or alphabetical arrow icon click to modify view between ascending results and descending results ellipsis icon click to export or delete plus icon click to open new component dialog new and define new component component there are a few ways to engage with turbine components as seen above, from the components homepage, you create a new component from a series of actions in a workflow or use pre built components from the turbine content before looking at those, let's review the component canvas user interface (ui) the component canvas operates on a drag and drop functionality to the left, the add panel provides a list of actions and components (pre built and user made) the add panel is where you can view, search, filter, sort, and/or drag and drop actions and components components can be filtered by user made sorted by source or interface the component default view is alphabetical by user made, where you can easily expand or collapse the list to add a component, click on the desired component, then drag to the plus icon to the expanding responsive drop zone repeat to add additional components defining terms and icons the table shows the icon and meaning for the component toolbar icon meaning show/hide the add panel create a component from actions on the canvas zoom drop down menu show/hide the component details panel open test console at the bottom of the window shows options to export, duplicate, or delete a component create component from homepage to create a new, user made component, follow these steps from the components homepage, click the plus icon the new component dialog opens where you must enter a name and can add a description the example shows a new component created using two crowdstrike vendor actions get ids and get incident details click save to create the component and open the component canvas if you do not want a component, you can always use the navigation pane to click library , then components from there, click the ellipsis icon next to the component, and click delete after you click delete , you receive a confirmation dialog once you delete, you cannot undo this step click the mouse icon and hold the dialog closes once the deletion is complete referring back to step 2, now that the component canvas is open, use the add panel to find the two crowdstrike vendor actions get ids and get incident details the example below walks you through the process of finding and adding the actions to the canvas from the add panel , ensure the actions tab is selected and the sort drop down has vendor for a quick search, filter by vendor click the filter icon and select crowdstrike the results show only the crowdstrike actions scroll through and select the desired actions, then click and drag each action onto the canvas you've successfully added actions to the component from here you can add/delete actions, configure, and/or modify them later the component is always accessible under user made components and in your content library save your work frequently! swimlane components components, also known as vendor interaction components (vics), focus on the intent of the vendor action vendor apis send data in differing formats that data needs to be in common data formats for best practices use components to set an intent, then configure vendor specific details turbine components focus on ingestion enrichment why use swimlane content components turbine ingestion components get data from with turbine extendable data schema (teds) using ingestion components provides preconfigured intents for your playbook framework to reduce time building allows mass data ingestion uses ingested data downstream in the playbook and/or the promoted results for use outside the playbook why use swimlane content components turbine enrichment components ingest data from third party tools and transform data into appropriate ocsf/sos objects to improve incident response investigations for threat hunting to select a preconfigured component, click on library and click swimlane content the swimlane content homepage opens and you can scroll down to the components section click install to download the desired component, and then access it by either your user content library, or from the components tab in the add panel on your playbook canvas component details when creating a component, anytime you click on the canvas, the component details panel displays in the right hand side the table below describes the individual component detail tabs tab details summary has the component name, schema (if applied), description, source type, and button to create a copy assets shows the connectors that have assets these drop downs could be empty you can use this drop down to also select and apply an asset to a connector data shows interface image, pre set or user defined interface and drop down menu, inputs/outputs, configure hyperlink associations shows the number of dependent playbooks or components this panel is available whether you get a component from the swimlane content or if you create one yourself hero ai visibility options visible to hero ai enables the component to be accessed by hero ai default state is off when this setting is enabled, components cannot support attachments as an input type users will see an error when trying to save requires confirmation to execute when enabled, hero ai prompts the user to confirm execution before running the component this is automatically enabled when visible to hero ai is toggled on you can manually disable it for safe to run components how to configure go to component details and open the summary tab toggle visible to hero ai to on optionally, disable requires confirmation to execute if the component should run automatically save the component data interfaces interfaces define the expected data structure for a component, enabling components to be easily swapped without breaking data mappings when two components use the same interface, you can replace one with the other and preserve all mapped input and output fields each interface specifies what inputs a component accepts and what outputs it produces, promoting consistency and simplifying reuse across the canvas for example, a remediation interface might require fields such as observable and action type , ensuring that compatible components can be used interchangeably term definition defining characteristics component interface interface is the data shape that can be applied to turbine components used with components makes it so components can be easily swapped to assign an interface navigate to orchestration and select components create or open a component in the component builder click the data tab in the component details panel under the interface section, choose from available interfaces like object to alert v1 0 2 or error to enrichment v1 0 2 warning if you switch from a predefined interface to user defined , a dialog appears prompting you to either transfer available mappings into custom defined fields, or clear all mappings and start with a blank configuration this action cannot be undone, so review your current mappings before confirming user defined if none of the predefined interfaces match your use case, select user defined to manually configure the inputs and outputs using the component inputs manager this gives you full control over the data your component receives and returns supported input types include string – hostnames, file names, or email addresses number – severity scores, thresholds boolean – true/false flags object – structured fields with nested properties array – lists of strings, numbers, or objects attachment – file payloads or binary data once you save your configuration, these inputs appear under the inputs tab in the data panel and can be mapped like interface defined fields user made components from canvas from a playbook canvas, you can create a user made component create a playbook and add the desired use case actions let's say that you want to use the same set of tasks again in the current or another playbook the example below walks you through how to group actions into a component and ungroup the component, as needed scenario you have created a playbook with the purpose retrieving a list of emails and evaluating and conducting a url analysis the playbook canvas below shows the gmail list emails action followed by two downstream virustotal actions the analyse a url action and get analyses action in the future, you want to use the two virustotal actions to analyze a url to create the component from the canvas toolbar, click the create component icon each action now has a circle next to it select the desired steps to create your component and click create component click create component again when the new component window opens, enter the component name best practice is to name the component with the desired outcome/task you want in this case, since we want to analyze a url using only virustotal actions, enter virustotal – analyze url , then click save you've successfully created a component inside a playbook canvas! this component is available in your components tab in the add panel and in your user content library what if you need to change the component? easy! the icons above a component enable once you've selected it the table below defines the icons icon meaning edit component inputs/outputs/additional options ungroup component open in component builder delete component if you choose to ungroup a component, it detaches it from the component library it splits the individual steps on the canvas, and where applicable, remove interface, inputs, and/or outputs a warning dialog opens and you must click continue