Configure Action Integrations
Action integrations are external applications that are used to take appropriate actions on indicators shared by the network in the Network Collection. These integrations include all apps available in the Cyware Orchestrate App Store.
How does it work?
To get started, first configure the app instances that you want to include in your playbooks. After you configure the app instances, go to Intel Operations (Cyware Orchestrate) > Playbooks from the main menu, and create playbooks using app actions from one or more integrations.
Next, go to ACD and link your playbooks while creating automation rules. When the rule conditions are met, ACD automatically triggers your linked playbook. You can also run these playbooks manually at any time from the Intel Repository. For more information, see Create Automation Rules.
Understand Indicator Data for Playbook Actions
ACD shares a structured indicator payload with Orchestrate playbooks. Each indicator includes attributes such as type, value, confidence score, and expiration time. Review this data format to understand how fields map to the actions you configure in an integration. This helps you create playbooks that correctly map indicator fields to the input format expected by your action integrations.
Each received indicator includes the following standardized data structure that is passed as input to your playbooks:
[
{
"conf_score": 50,
"expiration_time": 1776175449,
"id": "a9c8e3c5-4d6c-4138-a57b-6bf51537c2f7",
"ioc_type": "ipv4-addr",
"ioc_value": "192.65.80.13",
"tlp": "AMBER"
}
]When an actioning automation rule triggers a playbook on multiple indicators, the input format remains the same but includes an array of indicator objects, as shown below:
[
{
"conf_score": 55,
"expiration_time": 1776175660,
"id": "b2d7c4e1-91a8-43cd-8b9b-5ad1713ec941",
"ioc_type": "ipv4-addr",
"ioc_value": "203.0.113.45",
"tlp": "GREEN"
},
{
"conf_score": 70,
"expiration_time": 1776175788,
"id": "c4f9a2b6-3de1-4c8a-92c1-7ff93a66b4f3",
"ioc_type": "ipv4-addr",
"ioc_value": "198.51.100.24",
"tlp": "AMBER"
}
]
Supported IOC Formats
ACD sends indicators with standardized ioc_type values. The following table lists the exact values you will receive in the ioc_type field. Use these to map them correctly in your playbooks, especially when your action integrations expect different field names or formats.
Indicator |
|
|---|---|
Domain |
|
Email Address |
|
IPv4 Address |
|
IPv6 Address |
|
MD5 Hash |
|
SHA1 Hash |
|
SHA224 Hash |
|
SHA256 Hash |
|
SHA384 Hash |
|
SHA512 Hash |
|
SSDEEP Hash |
|
URL |
|
Create an App Instance
You must create and configure an app instance before you can use its actions in a playbook.
To create an instance, follow these steps:
From the main menu, go to Automated Collective Defense > Integrations.
Click Action to view the list of all supported integrations.
Browse the list to find the required integration, and click Install.
After installation, click Configure to create an instance and authenticate with the selected integration. Enter the required authentication parameters and click Add Instance.
Once the instance is created, click the vertical ellipsis next to the instance and select Test Connectivity. This verifies whether the connection to the integration was successful.
Note
If the test fails, you can review and update the existing configuration or create a new instance.
After successfully establishing the connection, create a playbook in Intel Operations (Cyware Orchestrate) using actions from one or more configured integrations. Ensure each integration you use has at least one configured instance to enable actioning through automation playbooks.
Example: Create a Playbook to Filter IPv4 Indicators and Upload to CrowdStrike Falcon
This example demonstrates how you can create an ACD playbook that filters incoming threat indicators and uploads only IPv4 addresses to a configured CrowdStrike Falcon instance. Use this to understand how ACD automation rules pass indicator data to a playbook and how you can map and process that data inside your playbook steps. For more information about playbooks, see Playbooks.
Before you Start
Set up and authenticate your CrowdStrike Falcon app instance in Cyware Orchestrate. For more information, see CrowdStrike Falcon.
Steps
To create a playbook, follow these steps:
The Start node automatically receives the ACD indicator array when an automation rule triggers the playbook or when you manually execute the playbook against a specific indicator. Your first task is to process this array to isolate the IPv4 indicators.
From the Main Menu, go to Intel Operations > Playbooks, and click Create Playbook.
Drag and drop the Custom Action node from the Nodes panel onto the playbook canvas. For more information about playbook nodes, see Playbooks Nodes.
Connect the Start node to the Custom Action Node.
Select the node and click Edit to edit the node details. This node will be node 1 in your playbook. You can reference it as ${1.<field>} when mapping dynamic paths in the next steps.
In the Input Data section, create a variable, for example,
event_data, and map its value to the playbook input, using the function${pb_input()}. This passes the entire array of ACD indicators to your custom code.In the Custom Code section, use the following code to iterate through the input data and append only the indicators that have an
ioc_typeof ipv4-addr to a new list calledcleaned_data.def script_function(event_data): cleaned_data = [] for i in event_data: if i['ioc_type'] == "ipv4-addr": i['ioc_type'] = "ipv4" cleaned_data.append(i) return cleaned_dataNote
The line
i['ioc_type'] = "ipv4"is required because ACD provides IPv4 indicators using the type ipv4-addr, while CrowdStrike expects ipv4. These differences vary across integrations, so always refer to the integration documentation of the app you are using to understand the exact keys and formats it requires. If ACD outputs a different field name or format, use Custom Code to normalize the data before passing it to the app. For more information about supported integrations, see Integrations.
Connect the filtered data output from the custom action node to your CrowdStrike integration to perform the upload action.
Drag the App Action node from the Nodes panel onto the canvas.
Search for the CrowdStrike Falcon app and select the Upload Indicators action from the Action dropdown. This will be your node 2.
In the Input Data section, map the required parameters for the CrowdStrike action using the data output from the custom action node using dynamic paths.
IOC Type: Enter
${1.ioc_type}to use theioc_typevalue from each indicator passed by Node #1 (custom action node).IOC Value: Enter
${1.ioc_value}to use the indicator value (ioc_value) from each indicator passed by Node #1 (custom action node).Action: Define how Falcon should treat the IOC when observed on a host.
Platform: Enter the platforms that the indicator applies to.
After mapping the required fields and adding any optional values based on your Falcon configuration, save the node and connect it to the previous node. For more information on the other fields, see CrowdStrike Falcon.
Complete the process by saving your playbook and linking it to an ACD Automation Rule to activate the workflow.
Click Validate to check for any errors or warnings in your playbook flow.
Enter a name for your playbook in the Basic Details section of Playbook Details, then click Save and Exit to finalize the playbook.
Go to Main Menu > Automated Collective Defense > Automation Rules and click Create.
In Trigger, select Intel Received in Network Collection.
In Action, choose the playbook you created to link it to the automation workflow.
Once the rule is active, the playbook runs in both automatic and manual scenarios. Indicators that match your trigger conditions will automatically flow through the playbook, and you can also manually execute the playbook on any indicator as needed.