Hey all,
So I have some playbooks which were working fine previously, but I don't know if something has changed on SOAR side. I'm not sure if this is a new feature, or if i just have never noticed it before, but when you add multiple connections to one block, the function name changes to "join_*" where * is the original function name.
e.g: join_review_results
My playbooks get to part where they would call "join_*" but then doesn't actually run the next function. I guess because it cannot find a function with that name. Not sure why it's not working.
Can i prevent SOAR from renaming the functions? Do i have to rebuilt the playbook to get it to work again?
If i create a test playbook, like attached, it seems to work fine. It's only affecting my existing playbooks.
@CS_ joins are auto created whenever more than 1 path joins to a block and the function is automatically called as you have seen.
A join usually requires all of the previous blocks to have completed before it will call the next function, but it is configurable. If your playbooks are failing then it's likely due to one or more of the expected 'upstream' blocks not being run/completed and therefore the join fails.
You CAN update these settings by selected the Advanced drop-down in the block settings:
In here you can view & select which blocks need to have completed before the function runs. I would recommend taking a look and seeing if there are any items here that may not run under certain conditions and then you may find why it's failing.
On your example there will likely only be one required app in the join (whois_domain) as it doesn't create them for custom functions.
To answer your original question, if you untick all the boxes in the join settings then the function will still be called but won't enforce anything, BUT it may cause the playbook to run differently than expected unless it's simple enough to not need that awareness of upstream actions.
@CS_ joins are auto created whenever more than 1 path joins to a block and the function is automatically called as you have seen.
A join usually requires all of the previous blocks to have completed before it will call the next function, but it is configurable. If your playbooks are failing then it's likely due to one or more of the expected 'upstream' blocks not being run/completed and therefore the join fails.
You CAN update these settings by selected the Advanced drop-down in the block settings:
In here you can view & select which blocks need to have completed before the function runs. I would recommend taking a look and seeing if there are any items here that may not run under certain conditions and then you may find why it's failing.
On your example there will likely only be one required app in the join (whois_domain) as it doesn't create them for custom functions.
To answer your original question, if you untick all the boxes in the join settings then the function will still be called but won't enforce anything, BUT it may cause the playbook to run differently than expected unless it's simple enough to not need that awareness of upstream actions.
