Create an Incident Workflow
The Incident Workflow defines the life-cycle that security teams should follow for threat response. Incident Workflow provides the needed flexibility for CFTR admins to adopt multiple incident response flows for various types of incidents. Using Incident Workflow CFTR admins can define the phases of the incident response flows.
Before you Start
To create an incident workflow, you must have CREATE/UPDATE permission for the Form Management module.
Steps
Go to Admin Panel > Form Management > Incidents.
Click Create Incident Workflow.
On the Create Incident Workflow page:
In the Incident Workflow Name field, enter the name of the Incident Workflow.
(Optional) Enter a description of the Incident Workflow. The description appears as a tooltip for the Incident Workflow in the list of Incident Workflows.
Click Save & Proceed.
On the left pane, to add phases to the Incident Workflow, do one of the following:
To create a phase, click +New.
To reuse an existing phase:
Search and select a phase.
Select an Incident Workflow of the phase that you want to use and click OK.
(Optional) To add custom tabs to the Incident Workflow, on the Custom Tabs section, click +New.
Configure the Incident Workflow:
Click Configuration.
Update the Incident Workflow configuration:
Field
Description
Description
Enter a description of the Incident Workflow.
Phase flow type
Select a flow type:
Linear: The flow of phases is sequential and users cannot move between random phases.
Non-linear: The flow of phases is non-sequential and users can move between random phases.
Incidents can be closed after this Phase
Select a phase. The incident can be closed when the incident is in the selected phase.
This field is available if the selected Phase flow type is Linear.
Click Save.
On the Incident Workflow configuration page:
To save the Incident Workflow as a draft, click the Save draft button.
To publish the Incident Workflow, click the Publish button.
After an Incident Workflow is published, you can add, update, or delete the fields and update the phases of the Incident Workflow. But you cannot add new phases or delete any phase from the Incident Workflow.