Incidents and objects
An incident or case is an event in which data or a system may possibly be compromised. An object represents a type of data.
Users or apps can create incidents in Orchestration & Automation. You can monitor the status from the start to the resolution of the incident.
A playbook uses objects to classify types of data. You select an object type when you create a
playbook, script, rule or workflow. The object type specifies which type of data you wish to act on.
An incident is considered an object, and it has the following child objects:
- Task. A unit of work to be accomplished by a user, device or process. Orchestration & Automation handles some tasks automatically. Other tasks can be assigned to users, which they accomplish manually and mark them as complete when done. Incident owners can track the progress of the various tasks.
- Note. Text added to an incident or task that provides clarification or additional information.
- Attachment. A file uploaded and attached to an incident or task.
- Artifact. Data that supports or relates to the incident. Orchestration & Automation organizes artifacts by type, such as file name, MAC address, suspicious URL, MD5 and SHA1 file hashes, and more. An artifact can also have an attachment, such as an email, log file or malware sample.
- Milestone. A date for an important event within the incident timeline.
- Data Table. Field values organized in a tabular format.
- Email Message. An email message sent to the Orchestration & Automation application for analysis.
The task object can also have notes and attachments as child objects.
The parent-child relationship is important in that you can access an object's child or parent object's data in a single transaction (an instance of a rule, script or workflow), but you need another transaction to access another object.