Labels, Triggers, and Events
A label is an identifier attached to a Playbook and an event to automatically trigger the execution of a Playbook on the occurrence of an event. These events can occur in Orchestrate or on external platforms such as CFTR, CTIX, Splunk, and so on. You can automatically execute the Playbooks by mapping a label to an event using configure triggers and attaching the same label to a Playbook. A configured trigger must be in active status to execute associated Playbooks on the occurrence of an event.
You can create events manually from the triggered events and execute Playbooks by attaching same labels to the triggered event and the required Playbook.
Example: If you want to execute a Playbook when a potential phishing email is sent to your organization's email server, then you can create a label to map events and Playbooks and create a trigger to execute a Playbook. The executed Playbook scans your organization's email server and quarantines users email account that have received a phishing email.
Process Overview
The following is an overview of triggering a Playbook for an event.
In this section:
Labels
Security analysts can create a label and use these labels to map events and Playbooks. You can use Filters to select labels and view the associated Playbooks.
Before you Start
Ensure that you have permissions to View Labels, Create Labels, and Update Labels.
For more information about the required permissions to utilize the labels feature, contact your Administrator.
Create a Label
You can create a label and then use the created labels to execute Playbooks based on the events that you have created manually or the events that are automatically triggered from other applications.
To create a label:
Click the Main Menu.
Click Labels.
Click Add Label.
Enter a unique name for a label and enter the label description.
Choose a colour you want to associate with a label.
Set the label status as Active or Inactive using the toggle button.
Note
If you want to execute a Playbook or an event that is associated with a label, then the label must be in active status.
Click Create. The created label appears in the labels list.
Use Labels in a Playbook
You can use active labels to execute a Playbook based on an event. You can associate one or more labels with Playbooks and events.
To use labels in a Playbook:
Click the Main Menu.
Click Manage Playbooks and click the New Playbook icon in the top right corner.
In the Playbook canvas, drag and drop an action node to build a Playbook.
Click Playbook Overview and configure the required fields.
In Select Labels, select the required labels from the dropdown list.
Add the remaining nodes to the Playbook and click Save.
Update a Label
You can update the name, description, color, and status of an existing label. The updated fields of a label are reflected in the associated events and Playbooks.
To update a label:
Click the Main Menu.
Click Labels.
In the search labels bar, enter the label name you want to update. You can also filter the labels using Create Range filter or Modified Range filter.
Select the label you want to update.
You can update the following fields of a label:
Label name
Description
Color
Status
After updating the required fields of a label, click Save.
Configure Triggers
You can configure triggers to automatically trigger the execution of a playbook based on the occurrence of an event. These events can occur in Orchestrate or on external platforms such as Respond, Intel Exchange, Splunk, and more. You can configure the source event app and source event type to execute pre-configured playbook workflows.
Example: If an incident is created in Respond, then the created incident can be used to execute the associated playbooks using labels and configure triggers.
For a video tour of triggering events from Respond, watch the video on automating incident analysis with Orchestrate and Respond.
Note
Access permissions can only be assigned to a User Group. Contact your Administrator to request this permission.
Before you Start
Ensure that you have permission to View Configure Events and Create/Update Configure Events to access the configure triggers feature and create a new configure trigger.
Steps
To configure triggers, follow these steps:
Click the Main Menu.
Click Configure Triggers under Triggers.
Click Add Configure Trigger.
In Source App, enter the name of the external application. Example: VirusTotal
In Event Type, enter the type of source event. Example: Phishing
In Label, enter the specific label you want to associate with this event.
Set the trigger status to active, and click Create to create the configured trigger.
The Playbook will get executed on the occurrence of the event defined in Configured Triggers.
Trigger Events
You can manually create and trigger events, and execute Playbooks by attaching the same labels to the created event and the associated Playbooks. You can execute these events using OpenAPI, webhook, Syslog, and external platforms such as CFTR, CTIX, Splunk, and more. Triggered events also display the log of events that you have received from your integrated products such as CFTR, CTIX, Splunk, and more.
Before you Start
Ensure that you have permission to View Source Events and Create/Update Source Events to access the triggered event feature and create a new triggered event.
Create Event
You can create an event to automatically execute Playbooks on the occurrence of the event.
Steps
To create a triggered event, follow these steps:
Click the Main Menu, and go to Trigger Events.
Click Add Triggered Event, and enter the following details:
Title: Enter a relevant title for the event. For example, system breach.
Labels: Choose one or more labels from the dropdown.
Data: Enter the data to pass with the event in JSON format. You can enter a maximum data of 64 MB.
Note
The supported data types are boolean, integer, float, string, dictionary, list, tuple, bytes, and none.
Click Create.
View Triggered Events
The listing page of the triggered events displays the following details:
Event ID: A 12-digit unique ID to identify an event. For example, TE2ace5e5f-4. You can click the event ID to view the labels and data associated with the event.
The preview displays data up to 4 MB. You can download the complete event data of up to 64 MB for offline analysis.
You can also go to Table View and copy the dynamic path of the event data fields.
Title: The title of the triggered event. For example, Phishing Incident
Source App: The name of the event source app. For example, CTIX.
Event Type: The type of the event. For example, Phishing
Labels: The labels associated with the event.
Source: The source of the triggered event. For example, Platform, Webhook, and OpenAPI.
Run Logs: The run logs of the Playbook that are triggered by an event. To view the run logs, hover over the event and click Run Logs.
Supported Actions for Trigger Events
In addition, to create and view trigger events, you can perform the below list of actions:
Sort the trigger event list in ascending or descending order by event creation time.
Filter the events based on the labels, created range, unprocessed events, event errors, and configuration type.
Search an event by its title, source app, and event type.