Skip to main content

Cyware Fusion and Threat Response

Configure Playbook Mappings

You can map the Orchestrate Playbooks with incidents and knowledge base articles, thereby enabling the security analysts to quickly access the relevant Playbooks and execute them during a threat response. Using Playbook Mappings, you can map the Playbooks to various knowledge base articles and the parent parameters of incidents.

Note

To configure Playbook mappings, Orchestrate must be integrated and enabled in CFTR.

After mapping Orchestrate Playbooks with incidents, you can access the mapped Playbooks in Playbooks > Mapped Playbooks of the incidents. However, to access the Playbooks that are mapped to a knowledge base article you must associate the knowledge base article with an action or incident. After associating a knowledge base article, you can access the mapped Playbooks in the Knowledge Base of the action or incident.

Mapped_Playbooks_in_KB.png
Create Playbook Mappings for Incidents

You can map the Playbooks with the parent parameters of incidents. When an incident is created with the configured mapping, the mapped Playbooks appear under Mapped Playbooks in the Playbooks section of the incident.

Note

At least one parent parameter must be configured for creating a Playbook mapping.

To create a Playbook mapping for incidents, do the following.

  1. Go to Admin Panel > Configurations > Playbook Mappings > Incident Mapping.

  2. Click +New Mapping.

  3. From Playbooks, select the Orchestrate Playbooks that you want to map.

    Note

    You can map multiple Playbooks with a set of parent parameters.

  4. From the parent parameters, select the values of the parameters that you want to map to the selected Playbooks.

  5. Click Save.

Note

If Role-based access control of Playbooks is enabled in Admin Panel > Configurations > Integration > Orchestrate, then only the Playbooks that you have access to appear under Playbooks.

Configure Parent Parameters

You can configure up to three parent parameters to create mappings for the Playbooks.

Note

You can configure only single-select fields from the Preparation tab of incident workflows as the parent parameters.

To configure parent parameters for Playbook mappings, do the following:

  1. Go to Admin Panel > Configurations > Playbook Mappings > Incident Mapping.

  2. On the top-right corner, click Configure Parent Parameters.

  3. Select the parent parameters.

  4. Click Save.

Create Playbook Mappings for Knowledge Base

You can map Orchestrate Playbooks to various knowledge bases. On a knowledge base, you access the Playbooks under Mapped Playbooks.

Note

You must have Create/Update permission for Knowledge Base to create the Playbook mappings.

To create a Playbook mapping for a knowledge base, do the following.

  1. Go to Admin Panel > Configurations > PlaybookMappings > Knowledge Base Mapping.

  2. Click +New Mapping.

  3. From Knowledge Base, select a knowledge base.

  4. From Playbooks, select the Playbooks to map with the selected knowledge base.

    You can map multiple Playbooks with a knowledge base.

  5. Click Save.

Note

If Role-based access control of Playbooks is enabled in Admin Panel > Configurations > Integration > Orchestrate, then only the Playbooks that you have access to will appear under Playbooks.

Manage Playbook Mappings

To manage a Playbook mapping, you can perform the following activities:

  • Modify a mapping.

  • Delete a mapping.

  • Clone a mapping to reuse a mapping.

  • Deactivate a mapping.