Skip to main content

Cyware Fusion and Threat Response

  • Cyware Fusion and Threat Response
  • How To Articles
  • Create Incidents from External Applications

Create Incidents from External Applications

You can allow users from external applications such as Collaborate to report incidents in Respond. Additionally, you can send and receive notes from external applications to communicate about incident updates. After an incident is reported from the external application, the incident will be created in the open status.

Note

This feature is available in Respond  v3.4.3.6 onwards.

You can also send a note to users in Collaborate, ensure you mention Collaborate Member using @ while adding a note to the incident. The notes received from Collaborate users will be displayed with the user name Collaborate Member in Respond.

Steps 

To Enable incident creation from external applications, follow these steps:

Step 1: Integrate Collaborate (CSAP)

Step 2: Enable External Incident Reporting

Step 3: Configure Incident Workflow

Integrate CSAP

Collaborate (CSAP) is an automated threat alert aggregation and information-sharing platform that equips key security personnel with information to improve situational awareness and resilience. By integrating Collaborate with Respond (CFTR), you can sign in to Collaborate without additional authorization.

Before you Start

To integrate Collaborate with Respond, ensure that:

  • You have Create/Update permission to Configurations.

  • You have the Collaborate API credentials.

Steps

  1. Generate Collaborate API Credentials 

  2. Configure Collaborate API Credentials in Respond 

 Generate Collaborate API Credentials

To gain Rest API access to Collaborate endpoints, you have to generate API credentials for your API user from the Analyst Portal. 

To generate Collaborate API credentials, follow these steps: 

  1. In the Analyst Portal, go to Administration > Integrations.

  2. In CSAP Integrations, click Open API Credentials.

  3. Click Generate API Credentials. Use the following information while generating credentials:

    • Title: Enter the title for credentials. This title acts as an identifier for the generated credentials. For example, API Credentials for John Doe.

    • Select Analyst to generate API credentials for another analyst.

      • User: Enter the name and select the analyst user for whom you want to generate credentials.

      • If you want to share the credentials with the selected users through email, select Share via Email.

  4. Click Generate to generate the credentials. You can now view the credentials. The credentials are also shared with the selected user if you have selected Share via Email.

    • Click Copy All to copy and save the Access ID, End Point, and Secret Key.

    • Click Download the .CSV to download the credentials. Ensure that you save the credentials for your reference because you cannot generate the same credentials again.

Configure Collaborate API Credentials in Respond

To configure CSAP API credentials in Respond, follow these steps:

  1. Go to Admin Panel > Configurations > Integrations > CSAP.

  2. Click Edit and enable CSAP.

  3. Enter the CSAP API credentials.

  4. Click Save.

To verify the integration, click Test Connection.

Enable External Incident Reporting

To allow users from external applications to report incidents, you must enable External Incident Reporting in Respond. Only Collaborate members can create incidents in Respond.

Before you Start 

Ensure you have Create/Update permissions for Configurations.

Steps 

To enable external incident reporting, follow these steps:

  1. Go to Admin > Configurations > Incident > External Incident Reporting.

  2. Turn on the Incident Reporting toggle.

  3. In Notes Display Name, enter a display name for notes. This name will be displayed as a username in external applications when you send a note from Respond.

  4. Click Save.

Create Incident Workflow

You can create multiple incident workflows to respond to various types of incidents.

Note

You can create a maximum of 50 active incident workflows. However, there is no limit to the number of inactive and draft incident workflows.

Before you Start

Ensure that you have Create/Update permission for Form Management.

Steps

To create an incident workflow, follow these steps:

  1. Go to Admin > Form Management > Incidents.

  2. Click Create Incident Workflow and enter the following details:

    1. Incident Workflow Name: Enter the name of the Incident Workflow. For example, Priority Threat Response Framework.

    2. (Optional) Description: Enter a description for the Incident Workflow. The description is added as a tooltip for the Incident Workflow in the list of Incident Workflows.

  3. Click Save & Proceed. You can view the Incident Details phase of the incident. Add fields as required.

  4. To update the name of the Incident Details tab, click Edit and enter a name.

    Note

    The Incident Details tab is common across all incident workflows. The updated name of the tab will be displayed in all incident workflows.

  5. To add phases to the incident workflow, follow these steps:

    Note

    You can add a maximum of 10 phases to an incident workflow.

    • In Phase, select a phase to add.

    • If the desired phase is unavailable, click New to add a new phase to the incident workflow. For more information, see Create Phase.

  6. To configure the fields of a phase, drag fields from the Field Library on the right and drop them into the phase. If the desired field is unavailable, click New Field to add a new field to the field library. For more information, see the Create Field section in Manage Field Library. You can do the following to organize the fields of a phase:

    • Drag fields to re-arrange the fields in a phase.

    • Maximize or minimize fields for better space management and viewing experience in a phase.

  7. (Optional) To add custom tabs to the Incident Workflow, on the Custom Tabs section, click +New and a name for the tab.

  8. To configure the incident workflow, follow these steps:

    1. Click Configuration.

    2. Update the following details in Incident Workflow configurations:

      Field

      Description

      Description

      Enter a description of the Incident Workflow.

      Phase Flow Type

      Select a flow type:

      • Linear: The flow of phases is sequential and users cannot move between random phases.

      • Non-linear: The flow of phases is non-sequential and users can move between random phases.

      Restrict phase transition if all mandatory fields are not filled

      Select this checkbox to restrict moving to the next phase in incidents with linear workflows if all the mandatory fields are not filled.

      This option is available only when the selected phase flow type is Linear.

      Incidents can be closed after the phase

      Select a phase during which the incident can be closed.

      This field is available if the selected Phase flow type is Linear.

  9. Click Save.

  10. (Optional) To map action templates with various phases of the incident workflow, go to a phase and in the upper-right corner, click Mapped Actions. Select action templates and click Save. To create a new action template, click New Action Template. For more information, see Manage Action Templates for Incidents.

  11. On the Incident Workflow configuration page:

    1. To save the incident workflow as a draft, click Save draft.

    2. To publish the incident workflow, click Publish.

After an Incident Workflow is published, you can add, update, or delete the fields and update the phases of the Incident Workflow. However, you cannot add new phases or delete any phase from the incident workflow.

The Preparation tab is common to all Incident Workflows and includes the fields that are necessary to provide the initial information when creating an incident.

Note

Only single-select fields of the Preparation tab can be configured as parent parameters.

Create Phase

When creating or updating an incident workflow, if the required phase is not available in the existing list of phases, then you can create a phase and add it to the incident workflow.

To create a phase, do the following:

  1. Go to Admin Panel > Form Management > Incidents.

  2. Select an incident workflow and click Edit on the right.

  3. On the left pane, under the Phases section, click the New button. A new empty text box appears under the Phases section.

  4. In the text box, enter the name of the new phase and click the save icon. The new phase appears under the Phases section.

  5. Select the new phase.

  6. From the Field Library on the right pane, search for the required field and drag the field to the space of the selected phase. If the required field is not available in the Field Library, then you can create a new field.

  7. The phase is automatically saved when another phase is selected or when the incident workflow is saved.

For more information on some frequently asked questions about phases, see Incident Workflows FAQs.

Map Actions with Incident Workflow Phase

You can map multiple action templates with various phases of an incident workflow and automatically create the actions when an incident is created. When an incident is created, Respond automatically creates actions using the mapped action templates for each phase of the incident response.

To map actions with an incident workflow phase, do the following:

  1. Go to Admin Panel > Form Management > Incidents.

  2. Select an incident workflow and click Edit.

  3. Select a phase.

  4. Click Mapped Actions.

  5. On Select Action Templates, select the action templates to map with the incident workflow phase.

    Note

    Respond displays the action templates that are available in the Actions Library.

  6. To create an action template, click +New Action Template. For more information, see Manage Action Templates for Incidents.

  7. Click Save.