Functions vs Custom Actions

Both custom actions and functions send data to external code, which is code your organization writes, when triggered by Resilient rules and workflows. This external code can then perform activities with your security program and send results to the Resilient platform.

One difference between custom actions and functions is where they send their results. A custom action can populate a custom field or data table within the Resilient platform. A function returns the results to the workflow that invoked the function, which allows the workflow to act upon the results. For example, you can configure both custom actions and functions to perform the following:

  • Perform a lookup for information about a user or machine in an asset database. A custom action updates a data table with the results. A function returns the data to the workflow.
  • Search SIEM logs for an IP address, a URL or a server name. A custom action creates a file attachment with the result then adds that as an artifact to the system. A function returns a list of events.
  • Use information from the incident, task or artifact to open a ticket in an ITSM system with a type, name and description. The custom action could track the ticket for updates. A function returns the ticket-ID.

Custom actions are a more technical complement to functions. They allow developers to build an application that combines integration activities in specific ways. Custom actions are used to provide a single prescriptive solution that might have more capability but usually gives the administrator less flexibility.

Functions are a modular style of custom actions, simplifying the developer’s code and reducing the learning curve. Functions provide a flexible toolbox that you can use to build workflows that coordinate multiple activities.

You can use the Resilient Circuits framework, which uses the Python language, to develop custom actions. You can also choose to use the API directly if you wish to create your custom actions in another language. Functions require the Resilient Circuits framework.

Whether developing custom actions or functions, you need an integration server. You use this system to develop and deploy your integration packages to your Resilient platform. Non-developers can also use the integration server to simply deploy existing packages. See the Integration Server Guide for the details on installing and configuring the server.