Skip to main content

Cyware Fusion and Threat Response

Configure Automation Rules

Using Rule Engine (Beta), you can configure rules to execute specific actions, such as pause incidents, enable Slack notifications, and run Playbook, on incidents automatically. A rule includes three components, that are triggers, conditions, and actions. Based on the configuration of a rule, CFTR executes the actions on incidents, when the incidents meet the requirements of the trigger and conditions.

What is a trigger?

A trigger defines the initial requirements to execute a rule. You can configure the following triggers in the rules:

  • Incident Status Change: The rule triggers when the status of an incident is updated from one status to another. For example, when the status of an incident changes from In Progress to Closed.

  • Workflow Phase Change: The rule triggers when the phase of an incident is updated from one phase to another. For example, when the phase of an incident that uses the NIST workflow changes from Detection Analysis to Containment.

    Note

    For linear incident workflows, ensure to select the from and to phases as per their sequence. Else, the rule will not be triggered.

  • Field Update: The rule triggers when the field of an incident is updated from one value to another. For example, when the severity of an incident is updated from Low to High.

What is a condition?

You can configure the conditions to execute a rule using multiple conditions and correlating them using logical operators, such as AND and OR. When an incident meets the requirements of the trigger, the rule verifies if the incident meets the conditions before executing the rule. A condition includes the following items:

  • Controlling Field: The field based on which you want to define the condition to run the actions of a rule. You can use any field type from the field library of incident workflows as the controlling field.

  • Selector: A logical operator that correlates between the controlling field and the values.

  • Controlling Field Values: The corresponding values of the controlling field.

For example, if you want to create a rule for critical incidents, you can configure the following condition:

  • Controlling Field: Severity

  • Selector: EQUAL TO

  • Controlling Field Values: Critical

What is an action?

You can select the actions you want to perform on an incident when the rule executes. After an incident meets the requirements of the trigger and conditions, a rule executes the actions on the incident. You can configure the following actions in the rules:

  • Enable Slack Notification: This action enables Slack notifications of the incident.

  • Pause Incident: This action pauses the incident.

  • Run Playbook: This action runs a Orchestrate Playbook on the incident.

    Note

    To run Playbooks, Orchestrate integration must be configured and enabled in Admin Panel > Configurations > Integration > Orchestrate. If the Orchestrate integration is disabled, you can create rules, but the Playbooks associated with the rules will not be executed.

When a rule runs a Playbook in an incident, the activity logs of the incident show that a rule has triggered a Playbook on the incident. You can view the Playbook execution details in the Playbook Run Logs of the incident.

Create Rule

To create a rule, follow these steps:

  1. Go to Admin > Rule Engine.

  2. Click Create Rule.

  3. Enter a title for the rule.

  4. Click Choose Trigger and select one of the following triggers:

    • Incident Status Change: Select this option to trigger the rule when the status of an incident is updated, and then select the from and to status.

    • Workflow Phase Change: Select this option to trigger the rule when the phase of an incident is updated, and then select the incident workflow, from status and to phase.

    • Field Update: Select this option to trigger the rule when the field of an incident is updated, and then select the from and to values.

    Note

    From and To options are not mandatory, you can select either one or both values to execute a rule. For example, if you want to trigger a rule when an incident is assigned to a user, you only need to select the To option.

  5. (Optional) Click Choose Condition and select the Controlling Field, Selector, and Controlling Field Values. Click the logical operators AND or OR to add more conditions.

    Note

    You can add a maximum of five conditions in a rule.

  6. Click Choose Action and select the actions to be performed on incidents.

    Note

    • You can add a maximum of three actions in a rule.

    • If Role-based access control of Playbooks is enabled in Admin Panel > Configurations > Integration > Orchestrate, then you can view the Playbooks that you have access to under Run Playbooks.

  7. Click Save.

The selected actions will be executed on all incidents that meet the requirements of the rule.

Manage Automation Rules

To view the list of rules created in the application, go to Admin Panel > Rule Engine. You can view the rule details such as the rule title, username of the creator, creation date, and status.

Note

Disabled rules with an error mark indicate that the rule is disabled due to some error in the rule configuration. For example, when an incident status associated with a rule is deleted, the rule is disabled. Open the rule to view the error details.

You can perform the following activities to manage the rules:

  • Deactivate rules. Under the Status column, disable the toggle to deactivate a rule. Inactive rules do not trigger and the configured action is not executed.

  • Search for a rule.

  • Filter rules based on the created date and status.

  • Sort rules based on the title, last updated date, or created date.