Configure Automation
Notice
This feature is available in CFTR v3.3.1 and later versions.
To streamline and accelerate incident response, Automation Management enables administrators to create automations using Orchestrate playbooks or app actions and associate the automations with the phases of incident workflows. When an incident is created, users can view and run the associated automations in the respective phases.
For example, to block a malicious IP address during the detection analysis phase of an incident, administrators can create an automation using the Block IOC playbook and associate it with the detection analysis phase of the incident workflows. During the detection analysis of an incident, if the IP address associated with the incident is identified as malicious, users can run the automation to block the IP address.
Create Automation
Create automations to enable users to run and accelerate incident response.
Before you Start
Ensure that Orchestrate integration is enabled in CFTR.
Ensure that you have the Create/Update permission for Form Management.
Steps
To create an automation, do the following:
Go to Admin Panel > Form Management > Incident > Automation Management.
Click New Automation on the top-right.
Enter the following details:
Name: Enter a unique name for the automation. For example, Block IP.
Description: Enter a description for the automation. This provides contextual information about the automation and helps users to choose the desired automation in incidents.
Automation: Select one of the following:
Select Playbook: Select this option to associate an Orchestrate playbook with the automation.
Note
If Role-based access control of Playbooks is enabled in Admin Panel > Configurations > Integration > Orchestrate, then you can view the list of playbooks that are allowed based on your user group permissions. Administrators can use playbook tags in user groups to control user access to Orchestrate playbooks in Admin Panel > User Group Management.
Users, who do not have access to the associated playbook, can run the automation in incidents but the playbook will not be executed.
Select App: Select this option to run an action of an Orchestrate app when the automation is triggered in incidents. Also, select the Orchestrate app, action, and app instance you want to associate with the automation. You can view the list of apps for which at least one instance is configured in Orchestrate.
Mapped Workflows: Select the incident workflows and the respective phases to associate with the automation. For example, NIST - Containment. You can associate multiple incident workflows and phases with an automation.
Note
Select at least one phase for each selected incident workflow.
You can associate an automation with published incident workflows only.
Click Add.
The automation is created and appears in the list of automations in Automation Management. When an incident is created, the automation appears in the Automations section of the associated phases of the incident.
Manage Automations
You can perform the following activities to manage automation:
Search automations based on the title.
Edit automation to update the details. The updated automation appears in all associated incidents.
Delete automation.
Note
When you delete an automation, the automation is removed from all associated incidents.