Code Block
Overview
Code Block in Arcanna.ai is a flexible new feature which allows security analysts to run custom Python code directly within the pipeline. Whether you need to perform additional processing, run custom checks, or manipulate alert data, the Code Block gives you the freedom to do it all wherever you want in the flow of your security alerts. Just like other components, you can add, move, or rearrange multiple Code Blocks anywhere in the pipeline. This gives you complete control over how and when your custom logic is applied.
Key Features
- Custom Python Code: Write and execute Python code within your pipeline to tailor the alert processing.
- In-Browser Execution: Test your code on a sample alert directly in the UI, before committing it to the pipeline.
- Code Variables: Define variables (e.g. secrets) for flexible and secure coding.
- Resource Management: Configure the memory and execution time limit for your code to ensure it runs smoothly.
- Security Limits: Only selected libraries and Python features are allowed for security and simplicity.
How It Works
1. Adding a Code Block
You can add a Code Block anywhere in your pipeline, just like any other component (e.g., between Context Enrichment and Post decision). The code you write will be executed on each event that passes through this stage of the pipeline.
In order to add a Code Block on a job, first, you need to go to the Flows page by clicking the Flows icon on the side menu:
Then click on Add Integration button.
A drawer will appear where you can select which integration to add to your job. Choose Code Block.
The Create Code Block page will open, which contains a Python code editor where you can write your custom code.
2. Writing Code
Inside the Code Block interface, there’s a Python code editor where you can write the logic you want to apply over your alerts. This could be data transformation, additional checks, or even external API calls using limited but powerful Python libraries. Arcanna.ai provides a safe execution environment, so while you have freedom with your code, some Python libraries are restricted for security and performance reasons.
Example of Python code you can write in the editor:
In this example, we modify the alert by adding a new field called custom_event_severity
(string) based on the values from the
existing severity
field (strings from 1 to 3).
3. Testing and Running Code in the Browser
Before you commit your code to run on live data, you can test it directly in the browser. The UI offers a test window where a random alert from the pipeline is presented as a sample input. This gives you flexibility, so use this to test your logic and ensure your code behaves as expected.
You can always get another random alert from the already processed events to test with varied data. Or you can even get a specific event if you know its identifier.
As previously said, some Python statements or libraries are restricted and cannot be used. You can see a relevant error when trying to run your code. Here are some examples:
After writing your code, simply run it in the UI, and the output will show you how your code modifies the provided alert.
Note:
Custom code can affect every alert passing through the pipeline, so it is important to test thoroughly before deploying your * Code Block* to ensure it works as expected without unintended side effects.
4. Resource Settings
You can control the resources allocated to the Code Block:
- RAM Memory: Set the memory allocation (default is 10MB, and the max is 150MB).
- Execution Time: Specify the time limit for the code to run (default is 3 seconds, and the max is 300 seconds).
Adjust these settings based on the complexity of your code to ensure it executes efficiently without affecting the overall pipeline performance.
5. Using Variables
If your code requires additional inputs, such as secrets (API keys, credentials, etc.), you can reference predefined variables within the Code Block. This helps streamline the code-writing process while maintaining security and consistency across the pipeline.
6. Save your Code Block
When you’re ready, you can save and apply the Code Block. When new data is processed, it will automatically be run over all relevant alerts in the pipeline.
7. Rearrange Integrations
Like other components, the Code Block can be rearranged anywhere in the pipeline, giving you complete flexibility over its placement. You can drag and drop to adjust where the Code Block runs relative to other integrations in the Arcanna.ai job.
8. Review Updated Alerts
Once the Code Block is live, you’ll be able to see the results of your custom logic in newly processed alerts. For example, if
your code adds a new field (like custom_event_severity
), you can confirm the changes by reviewing the updated alert data in the
Event Explorer.
Use Cases for Code Block
The Code Block is perfect for scenarios where you need:
- Custom data transformations that go beyond Arcanna.ai’s out-of-the-box components.
- Enrichment logic that isn’t covered by existing integration components.
- On-the-fly decision-making for specific alerts or security events.
- Advanced alert processing that requires real-time modifications.
Limitations
To keep things secure and performant, there are some restrictions:
- Only approved Python libraries are available.
- Certain Python features (e.g., threads or file system access) are disabled.
- Custom code can affect every alert passing through the pipeline, so test thoroughly before deploying.