Skip to main content

Cyware Fusion and Threat Response

  • Cyware Fusion and Threat Response
  • How To Articles
  • Create Incidents from Orchestrate Playbook

Create Incidents from Orchestrate Playbook

You can use the Orchestrate playbooks feature to create incidents from Orchestrate. In addition to creating incidents, you can use the playbooks to perform multiple actions. To view the list of actions, see Cyware Fusion and Threat Response (CFTR) app documentation.

Before you Start

  • Ensure that CFTR App from the Orchestrate Appstore is installed on your Orchestrate application. For more information about how to install an app and add an instance in Orchestrate, see Apps.

  • Ensure that your CFTR instance, where you want to create the incidents, is available in the CFTR app in the Orchestrate application. For more information on how to create a CFTR instance, see Create a CFTR Instance in Orchestrate.

  • Cyware recommends you be familiar with Orchestrate general flowchart algorithms and their functions. For more information, see Playbooks.

Create a Playbook for Creating Incidents

To create a playbook for creating incidents, go to your Orchestrate application and perform the following steps.

  1. Go to Menu > Playbooks.

  2. On the Playbooks page, on the top-right corner, click New.

  3. On the Playbook - New page, under the Overview section, enter the playbook details, such as Name, Description, Tags, and Labels.

  4. Select the Status as ACTIVE.

  5. On the top-right corner, from the Add Node drop-down list, select Action.

  6. Enter the action details:

    • Enter action name: Enter a name for the action. Example: Create an Incident.

    • Description: Enter a description for the action. Example: This action creates an incident.

    • Select an action type. Select System in this case.

    • Select App: Search and select Cyware Fusion and Threat Response (CFTR). Select Action field appears.

    • Locate Create an Incident action and click Add.

  7. Select the Abort playbook if this Node fails checkbox.

  8. Leave the Action Retry Count and Action Retry Interval sections as they are.

  9. Update the Input Data fields:

    Field

    Description

    Title

    Enter the title of the incident.

    Description

    Enter a description that best describes the key details of the Incident.

    Status

    Enter the status of the incident. Allowed values:

    • untriaged

    • open

    • closed

    • merged

    Incident Type

    Enter the type of Incident. Some examples of incident types are:

    • Malware

    • Phishing

    • Spearphishing

    Business Unit Impacted

    Enter the list of unique IDs of the impacted Business Units.

    Example: $LIST["6588df22-4f16-4b86-8683-d86834ea0877", "d7140322-ecc2-4a4e-9568-956f27dcc2c6"]

    You can retrieve the unique IDs of all the locations using Get a list of Business Units action or the following API endpoint:/openapi/v1/utils/businessunit/

    Locations Impacted

    Enter the list of unique IDs of the impacted locations.

    Example: $LIST["334a178f-0f00-4a0a-bdd9-fca1d3c16d0a","1488b7cb-7d10-4029-8abe-39c5ccde5f59"]

    You can retrieve the unique IDs of all the locations using Get a list of Sources action or the following API endpoint:/openapi/v1/utils/location/

    Source

    Enter the list of unique IDs of the sources of the incident.

    Example: $LIST["6588df22-4f16-4b86-8683-d86834ea0877","08d7cf26-5c3f-4c8b-bc15-e369b34d2122"]

    You can retrieve the unique IDs of all the sources using Get a list of locations action or the following API endpoint:/openapi/v1/utils/source/

    Incident Date

    Enter the date of occurrence of the incident in ISO 8610 time format.

    Example: 2021-08-11T10:29:45.784601Z

    Detection Date

    Enter the incident detection date in ISO 8610 time format.

    Example: 2021-08-11T10:29:45.784601Z

    Level

    Enter the severity level of the incident. Some examples of severity levels are:

    • Critical

    • High

    • Medium

    • Low

    Assigned Group

    Enter the unique ID of the user group to assign the incident.

    Example: 3b176d70-6869-4c73-959e-64b77f15bc9e

    You can retrieve the unique IDs of all the CFTR User Groups using the Get a list of all User Groups action or the following API endpoint: /openapi/v1/restauth/permission/group/

  10. Leave the Extra Fields and Output Data sections as they are.

  11. Click Create.

  12. On the playbook canvas area, connect the Start algorithm box to the action box you have created.

  13. Click Save.

Run Playbook

After creating the playbook, you can use the same input data you have added when creating the playbook or update the input data to create an incident. To run the playbook:

  1. Go to Menu > Playbooks.

  2. Search and open the playbook.

  3. (Optional) Click Edit to update the input data.

  4. Click Run.

  5. On the Run Input Data page, click Run Playbook.

On the Playbook Run Details page, click Show Details to view the response details. If the incident is created successfully, then the output data contains the details of the incident. Else the output data contains the error details.