Create Incidents from Orchestrate Playbook
You can use the Orchestrate playbooks feature to create incidents from Orchestrate. In addition to creating incidents, you can use the playbooks to perform multiple actions. To view the list of actions, see Cyware Fusion and Threat Response (CFTR) app documentation.
Before you Start
Ensure that CFTR App from the Orchestrate Appstore is installed on your Orchestrate application. For more information about how to install an app and add an instance in Orchestrate, see Apps.
Ensure that your CFTR instance, where you want to create the incidents, is available in the CFTR app in the Orchestrate application. For more information on how to create a CFTR instance, see Create a CFTR Instance in Orchestrate.
Cyware recommends you be familiar with Orchestrate general flowchart algorithms and their functions. For more information, see Playbooks.
Create a Playbook for Creating Incidents
To create a playbook for creating incidents, go to your Orchestrate application and perform the following steps.
Go to Menu > Playbooks.
On the Playbooks page, on the top-right corner, click New.
On the Playbook - New page, under the Overview section, enter the playbook details, such as Name, Description, Tags, and Labels.
Select the Status as ACTIVE.
On the top-right corner, from the Add Node drop-down list, select Action.
Enter the action details:
Enter action name: Enter a name for the action. Example: Create an Incident.
Description: Enter a description for the action. Example: This action creates an incident.
Select an action type. Select System in this case.
Select App: Search and select Cyware Fusion and Threat Response (CFTR). Select Action field appears.
Locate Create an Incident action and click Add.
Select the Abort playbook if this Node fails checkbox.
Leave the Action Retry Count and Action Retry Interval sections as they are.
Update the Input Data fields:
Field
Description
Title
Enter the title of the incident.
Description
Enter a description that best describes the key details of the Incident.
Status
Enter the status of the incident. Allowed values:
untriaged
open
closed
merged
Incident Type
Enter the type of Incident. Some examples of incident types are:
Malware
Phishing
Spearphishing
Business Unit Impacted
Enter the list of unique IDs of the impacted Business Units.
Example: $LIST["6588df22-4f16-4b86-8683-d86834ea0877", "d7140322-ecc2-4a4e-9568-956f27dcc2c6"]
You can retrieve the unique IDs of all the locations using Get a list of Business Units action or the following API endpoint:
/openapi/v1/utils/businessunit/
Locations Impacted
Enter the list of unique IDs of the impacted locations.
Example: $LIST["334a178f-0f00-4a0a-bdd9-fca1d3c16d0a","1488b7cb-7d10-4029-8abe-39c5ccde5f59"]
You can retrieve the unique IDs of all the locations using Get a list of Sources action or the following API endpoint:
/openapi/v1/utils/location/
Source
Enter the list of unique IDs of the sources of the incident.
Example: $LIST["6588df22-4f16-4b86-8683-d86834ea0877","08d7cf26-5c3f-4c8b-bc15-e369b34d2122"]
You can retrieve the unique IDs of all the sources using Get a list of locations action or the following API endpoint:
/openapi/v1/utils/source/
Incident Date
Enter the date of occurrence of the incident in ISO 8610 time format.
Example: 2021-08-11T10:29:45.784601Z
Detection Date
Enter the incident detection date in ISO 8610 time format.
Example: 2021-08-11T10:29:45.784601Z
Level
Enter the severity level of the incident. Some examples of severity levels are:
Critical
High
Medium
Low
Assigned Group
Enter the unique ID of the user group to assign the incident.
Example: 3b176d70-6869-4c73-959e-64b77f15bc9e
You can retrieve the unique IDs of all the CFTR User Groups using the Get a list of all User Groups action or the following API endpoint:
/openapi/v1/restauth/permission/group/
Leave the Extra Fields and Output Data sections as they are.
Click Create.
On the playbook canvas area, connect the Start algorithm box to the action box you have created.
Click Save.
Run Playbook
After creating the playbook, you can use the same input data you have added when creating the playbook or update the input data to create an incident. To run the playbook:
Go to Menu > Playbooks.
Search and open the playbook.
(Optional) Click Edit to update the input data.
Click Run.
On the Run Input Data page, click Run Playbook.
On the Playbook Run Details page, click Show Details to view the response details. If the incident is created successfully, then the output data contains the details of the incident. Else the output data contains the error details.