Customizing settings in Case Management
You must create and customize the playbooks in the Case Management applications before you create cases in Risk Manager.
Before you begin
- Ensure that you have Admin access to the IBM Security Case Management and IBM Security Orchestration & Automation applications.
- Ensure that you have the Administrator role (the role with all the permissions enabled) for initial configuration.
About this task
You can export your customized settings to a file. You can use your customized settings in another account by importing the file that you previously exported. For more information about migration of settings, see Migrate settings.
Procedure
- Customize the settings.
- On the home page, click the Menu icon.
- In the Application settings section, click Case Management > Customization.
- On the Customization Settings page, click Add Field.
- In the Create Incident Field window, add the three fields with
following values, and click Create.
- Source Application
- Type of field - Select
- Label for the field - Source Application
- API name - source_application
- Add/Edit Values - Risk Manager
- Requirement - Optional
- Blank Option - Yes
- Vulnerable IP Address
- Type of field - Text
- Label for the field - Vulnerable IP Address
- API name - vulnerable_ip_address
- Requirement - Optional
- Remediation For
- Type of field - Text
- Label for the field - Remediation For
- API name - remediation_for
- Requirement - Optional
- Create the playbook:
IDRM Artifact Playbook.- On the home page, click the Menu icon.
- In the My applications section, click Case Management > Playbooks.
- On the Playbooks page, click Create playbook.
- On the Create playbook window, specify the playbook name as IDRM Artifact Playbook and API name as idrm_artifact_playbook.
- Click Create.
- On the Playbook designer page, under Activation details, select Automatic from the Activation type list.
- Under Activation details, select Incident from the Object type list.
- Click Create condition.
- On the Create condition window, click Add
condition. Select All and specify the following conditions.
IF Incident is created AND Source Application is equal to Risk Manager AND Vulnerable IP Address has a value - Click Done.
- On the side menu of Playbook designer page, click the Scripts icon.
- Click Incident.
- Click Create script.
- On the Create script window, complete the following steps.
- Select Global.
- Specify a name and description for the script.
- Under Code, paste the following
script.
addr = incident.properties.vulnerable_ip_address.split(",") for ip in addr: incident.addArtifact("IP Address", ip, "Asset") incident.addTask("Remediate the asset with ip address value :" +ip, "Initial", "1. Collect volatile system data,\n " " 2. Create backups of affected systems, \n" " 3. Disconnect or isolate malware-infected systems\n " " 4. Provide and update the internal management chain regarding the results of the analysis." "Include details regarding the nature and scope of the incident as you understand it, " "the likelihood that confidential or personal information was exposed, and any other major impact. " "Outline the proposed recovery plan and estimated timeline.") - Click Create.
- Under Incident, drag the script that you created on the canvas under the start node. Alternatively, click the + sign next to the script name.
- On the side menu of Playbook designer page, click the Decision points icon.
- Drag End point on the canvas under your script node.
- Connect all the nodes on the canvas.
- Click Save.
- To enable the playbook, Enable playbook.
- To view the playbook details, click the View details icon.
- Create the playbook:
IDRM Update Case Playbook- On the home page, click the Menu icon.
- In the My applications section, click Case Management > Playbooks.
- On the Playbooks page, click Create playbook.
- On the Create playbook window, specify the playbook name as IDRM Update Case Artifact and the API name as idrm_update_case_playbook.
- Click Create.
- On the Playbook designer page, under Activation details, select Automatic from the Activation type list.
- Under Activation details, select Artifact from the Object type list.
- Click Create condition.
- On the Create condition window, click Add
condition. Select All and specify the following conditions.
IF Artifact is created AND Description contains (RM) AND Type is equal to IP Address AND Source Application is equal to Risk Manager - Click Done.
- On the side menu of Playbook designer page, click the Scripts icon.
- Click Artifact.
- Click Create script.
- On the Create script window, complete the following steps.
- Select Global.
- Specify a name and description for the script.
- Under Code, paste the following
script.
incident.addTask("Remediate the asset with ip address value :" +artifact.value, "Initial", "1. Collect volatile system data,\n " " 2. Create backups of affected systems, \n" " 3. Disconnect or isolate malware-infected systems\n " " 4. Provide and update the internal management chain regarding the results of the analysis." "Include details regarding the nature and scope of the incident as you understand it, " "the likelihood that confidential or personal information was exposed, and any other major impact. " "Outline the proposed recovery plan and estimated timeline.") - Click Create.
- Under Artifact, drag the script that you created on the canvas under the start node. Alternatively, click the + sign next to the script name.
- On the side menu of Playbook designer page, click the Decision points icon.
- Drag End point on the canvas under your script node.
- Connect all the nodes on the canvas.
- Click Save.
- To enable the playbook, click the Enable playbook button.
- To view the playbook details, click the View details icon.