Overview
The Orchestration & Automation application takes in data to create incidents and interacts with the SOAR environment to address and resolve security events.
Orchestration & Automation accepts data entered manually or programmatically. You then use the various playbook tools to evaluate and process the data, determine results, and perform remediation. This can include interaction with other security programs and assigning users to perform manual tasks. The playbook tools include playbooks, conditions, scripts, functions, rules, workflows and tasks. In addition, you can use fields, data tables and artifacts to contain data, and phases and reports to track progress.
Orchestration & Automation contains various playbooks that you design. The playbook runs when the conditions that you define are met. A condition is a change to an instance of the object type selected in the playbook.
- Run a script
- Start a function (or a workflow if using rules). A function can also be used to send data to an outside app.
- Add a task
- Add or update data in a field.
- Add a row to a data table.
- Provide data to the next step in the playbook to determine progress.
To access the customization settings, from the main menu, click Application settings > Case Management > Customization. You must be assigned Admin access to Orchestration & Automation and a role that includes Administration and Customization Permissions.