Executing multiple processes simultaneously enhances the efficiency of your security operations. For example, when investigating an incident, you'll want to enrich indicators using multiple vendors simultaneously.
Running steps concurrently will reduce total execution time, which will vary depending on the branch that is slowest to complete.
The execution of all parallel branches has to be completed for the workflow to continue.
How to use
Create parallel executions: Drag a step from the Builderbox, or from within your workflow, and drop it over another step to create a parallel branch.
A branch can consist of a single step or an entire logic pattern.
Parallel step executions can be made of multiple branches.
Add branches: To create additional branches, drag and drop additional steps onto the Parallel executions operator or onto one of the existing branches.
Define branch logic: Add steps to each branch to execute the required logic.
When a step executed in a parallel branch fails, the workflow will fail. If you want to ignore the failure of a step, go to the step Execution Options > Ignore failure and set it to Yes.
The steps following the parallel branches will only be initiated after all branches finish executing.
All downstream steps in the workflow can access the output from all parallel branches.
Use case
Enrich a suspicious IP address
Use multiple branches to run concurrent enrichments on a suspicious IP, each using a different threat intel vendor.
In this example, use AlienVault, RecordedFuture, and VirusTotal to enrich a given IP address concurrently. The If operator in each branch first checks if enrichment with the specified vendor is required. If yes, the IP address is enriched using the steps inside the If.
Create the first execution by adding the If operator to your workflow. Add the AlienVault Get information for an IPv4 address step to the workflow.
Drag and drop another If operator onto the existing one to create a parallel branch for RecordedFuture. Repeat to create a branch for VirusTotal.
Add the relevant enrichment steps to each branch.
Receiving information
Immediately after the vendor data is returned in each branch, a Slack message summarizing the information is sent. The Slack messages are sent as the vendor information becomes available, in an unknown order.
Using the Information Gathered
In this example, the Exit operator provides a summary of the information received from all threat intel vendors, extracted from the output of each parallel branch.