Configure Incident Workflows
The incident workflow defines the life cycle that security teams should follow for threat response. An incident workflow provides the needed flexibility for the administrators to adopt multiple incident response flows for various types of incidents. Using incident workflows you can define the phases of the incident response flows.
By default, CFTR provides the NIST framework as the default incident workflow that includes the following phases:
Preparation
Detection Analysis
Containment
Investigation and Eradication
To view the list of Incident Workflows, go to Admin Panel > Form Management > Incident. The Incident Workflows page displays the list of Incident Workflows that are already created under the Draft and Published sections.
Draft Incident Workflows: The Incident Workflow that is not published yet and is under configuration or review. Workflow Mappings cannot be created for draft Incident Workflows and they cannot be used for incidents.
Published Incident Workflows: The Incident Workflow that is configured and published. You can create workflow mappings for published Incident Workflows and they can be used for incidents.
For more information on some of the frequently asked questions about incident workflows, see Incident Workflows FAQs.