Appendix G - Using Custom Automation Step Schemas
This topic defines parameter schemas for all supported step types in Infinity Playblocks custom automations. Each step includes validation rules and dynamic reference capabilities for use with the Infinity Playblocks Automations API.
For the complete Infinity Playblocks Automations API, see the Swagger documentation.
Parameter References
Supported Reference Types
Many parameters support Parameter References that allow you to dynamically reference values from previous steps or automation parameters:
-
Step References: {{step['Step Name']['field_name']}} - References output from a previous step in the automation flow
-
Automation Parameter References: {{automationParam['parameter_name']}} - References user-defined automation parameters that are passed when the automation is executed
Reference Types
-
ParamRef:-
Supports step outputs and Automation parameters.
-
Most flexible and used where dynamic behavior is expected.
-
-
AutoParamRef:-
Supports automation parameters only and step references not allowed.
-
Restricts to inputs provided by the user during automation execution.
-
Step Categories
Triggers
Trigger steps define how and when an automation starts.
Log Trigger
Monitors log sources and triggers automation when specified conditions are met.
Parameters Schema
{
"filter": string (required),
"interval": TimeInterval (required),
"log_type": string (required),
"source": string (required),
"conditions": LogTriggerCondition[] (optional)
}
Parameters Detail
-
filter (string, required): Log filter query using the log search syntax
-
interval (TimeInterval, required): How frequently to check for new logs (minimum 15 seconds)
Copy{
"value": number,
"unit": "seconds" | "minutes" | "hours" | "days"
} -
log_type (string, required): Type of logs to monitor
-
Valid values: "logs", "audit"
-
-
source (string, required): Log source to monitor
-
Valid values: Quantum Management, Harmony Endpoint, Quantum SD-WAN, CloudGuard WAF, Harmony Email & Collaboration, Harmony SASE
-
-
conditions (array, optional): Additional conditions to apply to the logs
Log Trigger Condition Types
-
Check List
Verify if field values exist in predefined lists.
Copy{
"type": "Check List",
"parameters": {
"value_to_check": string (optional),
"lists": string[] (optional)
}
}Parameter Details:
-
value_to_check (string, optional): The log field name whose value should be checked against the selected lists
-
lists (array, optional): Names of predefined lists to check against
-
Valid lists values:
Allowed Sources,Quarantined Sources,Blocked Sources,Blocked Destinations,Isolated Devices,Playblocks IOCs
-
-
-
Check Fields Values
Match, contains, or exclude field values.
Copy{
"type": "Check Fields Values",
"parameters": {
"match_check": [{"field": string, "value": string}],
"contains_match_check": [{"field": string, "value": string}],
"not_match_check": [{"field": string, "value": string}]
}
}Parameter Details:
-
match_check (string, optional): Array of field-value pairs that must match exactly. The log will only trigger if all specified fields have exactly the specified values.
-
contains_match_check (array, optional): Array of field-value pairs where the field must contain the specified value as a substring. Useful for partial text matching.
-
not_match_check (array, optional): Array of field-value pairs that must not match. The log will only trigger if none of the specified fields have the specified values.
-
-
Check Fields Exist
Verify that specific fields exist in the log.
Copy{
"type": "Check Fields Exist",
"parameters": {
"fields": string[]
}
}Parameter Details:
fields (array, required): Array of log field names that must be present in the log entry. The condition will only be satisfied if all specified fields exist in the log, regardless of their values.
-
Count Logs
Count logs based on criteria.
Copy{
"type": "Count Logs",
"parameters": {
"expression_1": {
"function": "CountDistinct" | "CountOccurrences",
"value": string | ParamRef
},
"operator": "Equal to" | "Not equal to" | "Greater than" | "Greater than or equal to" | "Less than" | "Less than o
"expression_2": number | AutoParamRef,
"time_frame": TimeInterval | ParamRef,
"enrich_logs_with_fields": string[] | ParamRef (optional)
}
}Parameter Details:
-
expression_1 (object, required): Defines what to count in the logs
-
function:
CountDistinctcounts unique values,CountOccurrencescounts total occurrences -
value: The log field name to count (example,
source_ipto count unique IP addresses)
-
-
operator (string, required): Comparison operator for the count condition
-
expression_2 (number/AutoParamRef, required): The threshold number to compare against
-
time_frame (TimeInterval/ParamRef, required): Time window for counting logs (for example, count logs in the last 5 minutes)
-
enrich_logs_with_fields (array, optional): Additional log fields to include in the trigger output for context
-
-
Alert Again
Control re-alerting behavior.
Copy{
"type": "Alert Again",
"parameters": {
"alert_again_time": TimeInterval | ParamRef,
"log_fields_for_key": string[] (optional),
"log_fields_for_value": string[] (optional)
}
}Parameter Details:
-
alert_again_time (TimeInterval/ParamRef, required): Time interval that must pass before the same alert can be triggered again
-
log_fields_for_key (array, optional): Log field names used to create a unique identifier (key) for grouping related log entries. This determines which logs are considered "the same" for alert suppression purposes. For example, using [
source_ip,destination_ip] means alerts will be grouped by the combination of source and destination IPs. -
log_fields_for_value (array, optional): Log field names whose values are tracked for changes. If any of these field values change for the same key, a new alert can be triggered immediately regardless of the alert_again_time. For example, tracking ["severity_level"] means a new alert will trigger if the severity changes, even during the suppression period.
-
-
IP Country
Filter by IP address country.
Copy{
"type": "IP Country",
"parameters": {
"log_field_for_ip": string,
"include_or_exclude": "Included" | "Excluded",
"country_list": string[]
}
}Parameter Details:
-
log_field_for_ip (string, required): The log field name that contains the IP address to check
-
include_or_exclude (string, required): Whether to include or exclude the specified countries
-
Included: Trigger only if the IP is from one of the specified countries
-
Excluded: Trigger only if the IP is NOT from any of the specified countries
-
-
country_list (array, required): List of country codes or names to include or exclude
-
-
Check IP is internal
Check if IP is internal or external.
Copy{
"type": "Check IP is internal",
"parameters": {
"log_field_for_ip": string,
"internal_or_external": "Internal" | "External"
}
}Parameter Details:
-
log_field_for_ip (string, required): The log field name that contains the IP address to check (for example, source_ip, destination_ip)
-
internal_or_external (string, required): Whether to trigger for internal or external IPs
-
Internal: Trigger only if the IP is within your organization's internal network ranges
-
External: Trigger only if the IP is outside your organization's internal network ranges
-
-
-
Check Irregular Hours
Check if log occurred during irregular hours.
Copy{
"type": "Check Irregular Hours",
"parameters": {
"start_time": {
"hour": number (required, range: 0-23),
"minute": number (required, default: 0, range: 0-59)
},
"end_time": {
"hour": number (required, range: 0-23),
"minute": number (required, default: 0, range: 0-59)
}
}Parameter Details:
-
start_time (object, required): Beginning of the irregular hour time window
-
hour: Hour of the day (0-23, where 0 = midnight, 23 = 11 PM)
-
minute: Minute of the hour (0-59, defaults to 0)
-
-
end_time (object, required): End of the irregular hour time window
-
hour: Hour of the day (0-23)
-
minute: Minute of the hour (0-59, defaults to 0)
-
-
Example
{
"type": "Log Trigger",
"name": "Expert Shell login",
"parameters": {
"filter": "operation:\"Log In\" AND product:\"Expert Shell\"",
"interval": {
"unit": "minutes",
"value": 1
},
"log_type": "audit",
"source": "Quantum Management",
"conditions": []
}
}
Schedule Trigger
Triggers automation execution based on a schedule.
Parameters Schema
{
"type": "hourly" | "daily" | "weekly" | "monthly" (required),
"parameters": FrequencySchema (required)
}
Parameter Detail
parameters: Frequency-specific parameters.
Frequency Schema
-
Hourly
Copy{
"every": number (required, default: 1, range: 1-999)
} -
Daily
Copy{
"every": number (optional, default: 1, range: 1-999),
"time": {
"hour": number (required, range: 0-23),
"minute": number (required, default: 0, range: 0-59)
}
} -
Weekly
Copy{
"on_days": string[] (required),
"time": {
"hour": number (required, range: 0-23),
"minute": number (required, default: 0, range: 0-59)
}
}-
Valid on_days values: sun, mon, tue, "wed", "thu", "fri", "sat"
-
-
Monthly
Copy{
"every": number (optional, default: 1, range: 1-999),
"on_days": number[] (required, range: 1-30),
"time": {
"hour": number (required, range: 0-23),
"minute": number (required, default: 0, range: 0-59)
}
}
Example
{
"type": "Schedule Trigger",
"name": "Daily Report",
"parameters": {
"type": "daily",
"parameters": {
"every": 1,
"time": {
"hour": 9,
"minute": 0
}
}
}
}
Notifications
Notification steps handle user interaction and external communications.
Ask
Prompts users for input with predefined response options.
Parameters Schema
{
"subject": string (required),
"message": string (required),
"event_details": EventDetails (required),
"user_response_options": string[] (required),
"response_option_after_timeout": string (required),
"notification_profile": string | AutoParamRef (required)
}
Parameters Detail
-
subject (string, required): Question or prompt title (max length is 300 characters)
-
message (string, required): Detailed message or description (max length is 600 characters)
-
event_details (object, required): Structured information to display to users in notifications and prompts. This allows you to present relevant context data in a formatted way, such as IP addresses, user names, timestamps, or any other relevant information from the automation flow.
Copy{
"enabled": boolean,
"event_details_fields": [
{
"name": string,
"value": string | number | ParamRef
}
]
} -
user_response_options (array, required): Exactly 2 unique response options
-
response_option_after_timeout (string, required): Default response if user do not respond (must match one of the response options)
-
notification_profile (string, required): Notification delivery method that determines how and to whom the notification is sent. This refers to predefined notification profiles configured in your Infinity Playblocks system, such as Immediate attention, Low attention, or custom profiles that specify recipients, delivery channels (such as email, SMS, and so on), and timing preferences.
Example
{
"type": "Ask",
"name": "Approve Action",
"parameters": {
"subject": "Suspicious activity detected",
"message": "Should we block this IP address?",
"event_details": {
"enabled": true,
"event_details_fields": [
{
"name": "IP Address",
"value": "{{step['Log Trigger']['client_ip']}}"
}
]
},
"user_response_options": ["Block", "Ignore"],
"response_option_after_timeout": "Block",
"notification_profile": "Immediate attention"
}
}
Notify
Sends notifications to users or teams.
Parameters Schema
{
"subject": string | ParamRef (required),
"message": string | ParamRef (optional),
"event_details": EventDetails (required),
"notification_profile": string | AutoParamRef (required)
}
Parameters Detail
-
subject (string/ParamRef, required): Notification subject/title (max length is 300 characters)
-
message (string/ParamRef, optional): Notification body message (max length is 600 characters)
-
event_details (object, required): Structured information to display to users in notifications and prompts. This allows you to present relevant context data in a formatted way, such as IP addresses, user names, timestamps, or any other relevant information from the automation flow.
-
notification_profile (string, required): Notification delivery method that determines how and to whom the notification is sent. This refers to predefined notification profiles configured in your Playblocks system, such as "Immediate attention", "Low attention", or custom profiles that specify recipients, delivery channels (email, SMS, webhook), and timing preferences.
Example
{
"type": "Notify",
"name": "Notify admins",
"parameters": {
"subject": "Expert Shell login detected",
"message": "Administrative access detected on critical system",
"event_details": {
"enabled": true,
"event_details_fields": [
{
"name": "Administrator",
"value": "{{step['Expert Shell login']['administrator']}}"
},
{
"name": "Client IP",
"value": "{{step['Expert Shell login']['client_ip']}}"
}
]
},
"notification_profile": "Immediate attention"
}
}
Open Ticket
Creates tickets in external ticketing systems.
Parameters Schema
{
"subject": string | ParamRef (required),
"description": string | ParamRef (required),
"event_details": EventDetails (required),
"ticket_types": TicketTypes (optional)
}
Parameters Detail
-
subject (string/ParamRef, required): Ticket title/summary (max length is 300 characters)
-
description (string/ParamRef, required): Ticket description/details (max length is 600 characters)
-
event_details (object, required): Structured information to include with the ticket. This allows you to attach relevant context data to the ticket, such as affected systems, security indicators, timestamps, or any other information that will help ticket handlers understand and respond to the issue.
-
ticket_types (object, optional): Ticket type per connector
Copy{
"jira": string | ParamRef (optional),
"service_now": string | ParamRef (optional)
}-
Valid service_now values:
Low,Moderate,High,Critical
-
Example
{
"type": "Open Ticket",
"name": "Create Security Incident",
"parameters": {
"subject": "Security Alert: {{step['Log Trigger']['event_type']}}",
"description": "Automated security incident created from Playblocks",
"event_details": {
"enabled": true,
"event_details_fields": [
{
"name": "Source IP",
"value": "{{step['Log Trigger']['source_ip']}}"
},
{
"name": "Severity",
"value": "High"
}
]
},
"ticket_types": {
"jira": "Default",
"service_now": "Moderate"
}
}
}
Enrichments
Enrichment steps gather additional information about entities like IPs, URLs, and files.
Enrich IP
Enriches IP addresses with reputation and geo-location data.
Parameters Schema
{
"ip": string | ParamRef (required)
}
Parameters Detail
ip (string/ParamRef, required): IPv4 address to enrich (must be valid IPv4 format when not using parameter reference)
Example
{
"type": "Enrich IP",
"name": "Enrich client IP",
"parameters": {
"ip": "{{step['Expert Shell login']['client_ip']}}"
}
}
Enrich URL
Enriches URLs with reputation and analysis data.
Parameters Schema
{
"url": string | string[] | ParamRef (required)
}
Parameters Detail
url (string/array/ParamRef, required): URL(s) to enrich (must be valid URL format when not using parameter reference)
Example
{
"type": "Enrich URL",
"name": "Analyze suspicious URL",
"parameters": {
"url": "{{step['Log Trigger']['requested_url']}}"
}
}
Enrich File
Enriches file hashes with reputation and analysis data.
Parameters Schema
{
"file_hash": string | ParamRef (required)
}
Parameters Detail
file_hash (string/ParamRef, required): File hash to enrich (must be valid MD5, SHA-1, or SHA-256 hash when not using parameter reference)
Example
{
"type": "Enrich File",
"name": "Check file reputation",
"parameters": {
"file_hash": "{{step['Log Trigger']['file_hash']}}"
}
}
Conditions
Condition steps implement conditional logic in automation flows.
Condition
Evaluates conditions and determines the next step based on the result.
Parameters Schema
{
"condition": Condition[] (required)
}Condition Object
{
"expression_1": ParamRef (required),
"operator": string (required),
"expression_2": string | number | boolean (required)
}
Parameters Detail
-
conditions(array, required): Array of condition objects to evaluate
-
expression_1 (ParamRef, required): Parameter reference to evaluate (must be in format
{{step['Step Name']['field']}}) -
operator (string, required): Comparison operator
-
Valid values:
Equal to,Not equal to,Greater than,Greater than or equal to,Less than,Less than or equal to
-
-
expression_2 (string/number/boolean, required): Value to compare against
Example
{
"type": "Condition",
"name": "Check IP reputation",
"parameters": {
"conditions": [
{
"expression_1": "{{step['Enrich client IP']['reputation']}}",
"operator": "Equal to",
"expression_2": "Malicious"
}
]
}
}
Actions
Action steps perform specific operations like blocking IPs, creating indicators, or running other automations.
Add to List
Adds elements (IPs, domains, ranges) to security lists on Quantum Gateway.
Parameters Schema
{
"element": string | ParamRef (required),
"list": string (required),
"exceptions_list": string (optional),
"duration": TimeInterval | ParamRef (required),
"add_reason": string (required)
}
Parameters Detail
-
element (string/ParamRef, required): IPv4 address to add to the list (must be valid IPv4 when not using parameter reference)
-
list (string, required): Target list name
-
Valid values:
Allowed Sources,Quarantined Sources,Blocked Sources,Blocked Destinations
-
-
exceptions_list (string, optional): Exception list name (same valid values as list)
-
duration (TimeInterval/ParamRef, required): How long to keep the element in the list
-
add_reason (string, required): Reason for adding the element
Create IOC Management Indicators
Creates multiple Indicators of Compromise (IOCs) in the threat intelligence system
Parameters Schema
{
"indicators": IocIndicator[] | ParamRef (required),
"expiration_in_days": number | ParamRef (required)
}
IoC Indicator Object
{
"indicator_value": string | ParamRef (required),
"indicator_type": string | ParamRef (required),
"name": string | ParamRef (required),
"description": string | ParamRef (optional),
"confidence": "Low" | "Medium" | "High" (required),
"severity": "Low" | "Medium" | "High" | "Critical" (required)
}
Parameters Detail
-
indicators (array/ParamRef, required): Array of IOC indicator objects
-
expiration_in_days (number/ParamRef, required): Days until indicators expire
-
indicator_type valid values:
url,ip,domain,md5,sha256,sha1,ipv4
Example
{
"type": "Create IOC Management Indicators",
"name": "Create threat indicators",
"parameters": {
"indicators": [
{
"indicator_value": "{{step['Log Trigger']['malicious_ip']}}",
"indicator_type": "ip",
"name": "Suspicious IP from logs",
"description": "IP detected in security logs",
"confidence": "High",
"severity": "Medium"
}
],
"expiration_in_days": 30
}
}
Run Automation
Executes predefined automation templates with custom parameters.
Parameters Schema
{
"automation_name": string (required),
"automation_params": object (required),
"input": object (required),
"event_details": EventDetails (optional)
}
Parameters Detail
-
automation_name (string, required): Name of the automation to run
-
Valid values:
Block external IP,Quarantine internal IP,Open ticket and notify,Isolate Endpoint device
-
-
automation_params: Parameters specific to the chosen automation
-
input: Input data specific to the chosen automation
-
event_details (object, optional): Structured information to include with the automation execution. This allows you to pass additional context data that may be used by the target automation or included in its notifications.
Automation-Specific Schema
-
Block external IP
Copy
{
"automation_params": {
"Block reason": string (required),
"IP block duration": TimeInterval | ParamRef (required),
"Notification message": string (required),
"Notification message (not added)": string (required),
"Notification profile (IP was blocked)": string (required),
"Notification profile (IP was not blocked)": string (required),
"Notification subject": string (required),
"Notification subject (not added)": string (required)
},
"input": {
"Block IP": string | ParamRef (required)
}
} -
Quarantine internal IP
Copy
{
"automation_params": {
"Quarantine reason": string (required, max length: 300 characters),
"IP quarantine duration": TimeInterval | ParamRef (required),
"Notification message": string (required, max length: 600 characters),
"Notification message (not added)": string (required, max length: 600 characters),
"Notification profile (Device IP was quarantined)": string (required),
"Notification profile (Device IP was not quarantined)": string (required),
"Notification subject": string (required, max length: 300 characters),
"Notification subject (not added)": string (required, max length: 300 characters),
"Open ticket if device IP was quarantined": boolean | ParamRef (required)
},
"input": {
"Quarantine IP": string | ParamRef (required)
}
} -
Open ticket and notify
Copy
{
"automation_params": {
"Open ticket": boolean | ParamRef (required),
"Notification profile": string (required),
"ServiceNow ticket type": string (required),
"Jira ticket type": string (required)
},
"input": {
"Notification subject": string | ParamRef (required, max length: 300 characters),
"Notification message": string | ParamRef (required, max length: 600 characters),
"Ticket subject": string | ParamRef (required, max length: 300 characters),
"Ticket description": string | ParamRef (required, max length: 600 characters)
}
} -
Isolate Endpoint device
Copy
{
"automation_params": {
"Device isolation duration": TimeInterval | ParamRef (required),
"Notification subject": string | ParamRef (required, max length: 300 characters),
"Notification message": string (required, max length: 600 characters),
"Open ticket if device was isolated": boolean | ParamRef (required),
"Notification profile": string (required)
},
"input": {
"type": "Harmony Endpoint" (required),
"deviceName": string | ParamRef (required),
"deviceIp": string | ParamRef (required),
"machineId": string | ParamRef (required),
"comment": string (required)
}
}
Example
{
"type": "Run Automation",
"name": "Block external threat",
"parameters": {
"automation_name": "Block external IP",
"automation_params": {
"Block reason": "Automated blocking from threat detection",
"IP block duration": {
"value": 24,
"unit": "hours"
},
"Notification message": "IP has been blocked due to suspicious activity",
"Notification message (not added)": "IP could not be blocked",
"Notification profile (IP was blocked)": "Immediate attention",
"Notification profile (IP was not blocked)": "Immediate attention",
"Notification subject": "External IP Blocked",
"Notification subject (not added)": "External IP Block Failed"
},
"input": {
"Block IP": "{{step['Log Trigger']['external_ip']}}"
}
}
}
Common Data Types
TimeInterval
Represents a duration with a numeric value and time unit.
{
"value": number (required),
"unit": "seconds" | "minutes" | "hours" | "days" (required)
}
EventDetails
Structured data for displaying information in notifications and tickets.
{
"enabled": boolean (required),
"event_details_fields": [
{
"name": string (required),
"value": string | number | ParamRef (required)
}
] (required)
}
Parameter Behavior and Validation Notes
Parameter References
When referencing outputs from previous steps, the referenced step must come earlier in the automation flow.
Validation
-
All parameter values are validated against their defined schema.
-
Invalid input cause automation creation to fail.
Optional Parameters
-
Parameters marked as optional can be omitted without error.
-
Defaults may apply depending on the schema.
String Length Limits
Text fields may have maximum character limits, which vary by field type (for example, input field, name, ID).
Trigger Output Requirements
-
Trigger steps (for example, Log Trigger, Schedule Trigger) must include an
output_examplefield. -
This defines the data structure they provide to downstream steps.