SPLK-2003 Logic, Filters, and User Interaction

Logic, Filters, and User Interaction Detailed Explanation

In Splunk SOAR, automation isn't just about doing things fast — it's about doing them smart. That’s where logic and filters come in. And when automation needs help, user interaction bridges the gap with human decision-making.

1. Logic in Playbooks

Logic determines how your playbook reacts to different conditions. It controls the flow of automation based on the results of actions, inputs, or events.

Decision Blocks

A Decision Block is the main logic element in visual playbooks. It lets you ask yes/no or multi-condition questions like:

• "Is this IP in a blacklist?"

• "Is the file hash reputation unknown?"

• "Is the case severity greater than 'Medium'?"

Depending on the answer, the playbook can:

• Branch into different paths.

• Run different actions.

• End early or escalate the case.

Example:

If reputation_score > 80 → Mark as malicious.

Else → Mark as benign.

Comparison Operators

Decision blocks support a wide range of comparison operations to define conditions:

• == (equals)

• != (not equals)

• > / < (greater than / less than)

• >= / <= (greater than or equal to / less than or equal to)

• in (value exists in a list)

• not in (value does not exist in a list)

• is empty, is not empty

These operators allow for very specific control over playbook behavior.

Nested Logic

You can chain or nest multiple decision blocks together to handle complex scenarios.

Example:

• First decision: Is it a phishing email?

  • Yes → Check if sender domain is known.

    • No → Escalate to analyst.

    • Yes → Proceed with containment.

This lets your playbook act more like a human analyst thinking through a situation.

2. Filters

Filters help the playbook work with only the relevant data, which improves both accuracy and performance.

Artifact Filters

Artifacts are the data items (e.g., IPs, file hashes) extracted from an event. You can use artifact filters to:

• Select only certain types of artifacts.

  • Example: “Only process artifacts where type = ‘IP Address’”

• Ignore low-priority data.

  • Example: “Ignore URLs with risk score < 50”

Filters make sure that actions only target the right data.

Action Filters

Some playbooks apply filters before calling an action, so it only runs when the input meets specific criteria.

Example:

• Run VirusTotal lookup only if the file hash is not already known.

• Block IP only if its risk score is above 70.

This avoids unnecessary or redundant actions, which improves performance and reduces cost (especially with APIs).

Performance Benefits

Filters reduce the amount of data and the number of operations in each playbook run:

• Faster execution

• Lower chance of errors

• More scalable for large volumes of alerts

3. User Interaction

Even with powerful automation, sometimes a human decision is necessary — that’s where user interaction features come in.

Prompts

Prompts are used to pause the playbook and ask a question to an analyst.

Example:

• “Do you want to isolate the affected endpoint?”

Prompts include:

• A message/question

• Input fields (Yes/No, dropdown, free text, etc.)

• An assigned user or role

Until someone responds, the playbook will wait.

Choices

Prompts can offer multiple selectable options, such as:

• Severity levels: Low / Medium / High

• Action types: Quarantine / Notify / Escalate

• Teams: SOC Tier 1 / Tier 2 / Legal

These options make responses standardized and easier to process.

Delays

Sometimes you want the playbook to pause before continuing, either to:

• Wait for external systems to respond.

• Give analysts time to review.

• Throttle sensitive actions.

Example: Delay 5 minutes before auto-closing a resolved case.

Targeted Prompts

You can assign a prompt to:

• A specific user

• A specific role

• A group/team

This ensures that the right person is making the decision — not just anyone logged into SOAR.

Summary

Category	Feature	Purpose & Example
Logic	Decision Block	Branch playbook based on score, status, or other values
Logic	Comparison Operators	Define conditions (==, >, in, etc.)
Logic	Nested Decisions	Handle complex, multi-step evaluations
Filters	Artifact Filter	Focus only on IPs, URLs, or other specific artifacts
Filters	Action Filter	Only perform actions when conditions are met
Filters	Performance Boost	Reduce unnecessary operations
User Interaction	Prompts	Pause playbook for human input
User Interaction	Choices	Provide dropdowns or options for structured input
User Interaction	Delays	Wait for a certain amount of time before next step
User Interaction	Targeted Prompts	Direct questions to the right analyst or team

Logic, Filters, and User Interaction (Additional Content)

1. Default Paths in Decision Blocks

In Splunk SOAR, Decision Blocks are used to route playbook logic based on conditions. If none of the specified conditions are met, the playbook can follow a default path to ensure it doesn’t get stuck or fail unexpectedly.

Key Point: “If no conditions in a Decision Block are met, the playbook can continue through a default path (if configured). This prevents the playbook from stalling unexpectedly.”

Example Use Case:

• Decision block checks for:

  • Severity == High

  • Severity == Medium

• If neither condition matches (e.g., severity is Low), the default path can be used to:

  • End the playbook

  • Log a message

  • Trigger a minimal workflow

Exam Tip:
This concept often appears in True/False or behavior-based questions, such as:

• If no conditions are matched in a Decision Block, the playbook will always stop execution. → False

2. Prompt Timeout Handling

By default, Prompt Blocks pause the playbook until a human user responds. However, to prevent indefinite delays, analysts can configure timeout settings and fallback behaviors.

Key Features:

• Prompt Timeout: Sets a maximum wait time (e.g., 10 minutes, 2 hours).

• Timeout Action: Defines what to do if no response is received.

Use Case:

• Escalate the case if no analyst responds within 30 minutes.

• Use a default value (e.g., auto-isolate the host).

• Send a Slack message notifying the shift lead.

Clarifying Sentence: “Analysts can configure a prompt timeout to avoid indefinite pauses. A timeout action can be defined, such as escalating the case or continuing with default input.”

3. Error Branching in Decision Blocks

Sometimes a Decision Block may evaluate a variable or field that’s missing, malformed, or throws an error (e.g., trying to compare an empty string or null value).

To handle this safely, Decision Blocks support error branches.

Benefits:

• Prevent playbook crashes

• Route errors to specific handling paths

• Trigger alerts or fallback logic

Clarifying Sentence: “Decision blocks can be configured to handle errors gracefully, by using an ‘error’ branch that ensures the playbook doesn't crash if unexpected data is encountered.”

4. Filters in Code Blocks

In addition to visual filters on artifacts or actions, many developers use custom Python filtering in Code Blocks for complex logic.

Why It Matters:

• Visual filters are limited to basic comparisons.

• Python allows:

  • Regex filtering

  • Nested list/dictionary processing

  • Advanced data parsing

Clarifying Sentence: “In code-based playbooks, developers often apply additional filtering using Python for complex logic not covered by visual filters.”

Example:

filtered = [i for i in ip_list if not i.startswith("192.168")]

5. Using Tags in Logic Triggers

Tags applied to containers, artifacts, or events are often used in logic conditions to trigger specific playbook flows.

Example Logic:

if "VIP" in container.get("tags", []):
    # Take extra precautions

Use Cases:

• Apply extra validation for VIP users

• Route phishing emails with "external" tag to Tier 2 team

Clarifying Sentence: “Tags added to events or containers can be used in decision logic, e.g., if ‘VIP’ in container.tags to trigger special handling.”

6. Multi-language Support for User Interaction

In global or MSSP environments, SOAR supports multi-language customization in user interaction blocks (e.g., Prompts, Choices).

Features:

• Prompt text, dropdowns, tooltips can be localized per team

• Ensures clarity and consistency for analysts in different regions

Clarifying Sentence: “User interaction elements like Prompts and Choices can be customized in multiple languages, supporting international teams and regional workflows.”

Exam Implication:

• Scenario questions may ask:

  • How would a multinational MSSP ensure prompt clarity across teams?

  • Correct answer: Customize prompt text per language region.

Summary

Topic	Key Clarification
Default Path in Decision Block	Ensures execution continues if no condition is met
Prompt Timeout	Avoids indefinite waits; enables fallback behavior
Error Handling in Decisions	Adds resilience when data is missing or broken
Code Block Filters	Allows fine-grained data filtering with Python
Tags in Logic	Used to trigger condition-based playbook routing
Multi-language Prompts	Supports global analyst teams with localized inputs