- 23 May 2023
- 7 Minutes to read
- Updated on 23 May 2023
- 7 Minutes to read
The Workflow capability in ThreatConnect® enables analysts and their teams to define and operationalize consistent, standardized processes for managing threat intelligence and performing security operations. Analysts and administrators can use Workflow to investigate, track, and collaborate on information related to threats and incidents, all from within one central location in ThreatConnect. A primary use case for Workflow is case management, in which data tied to specific events and incidents are collected, distributed, and analyzed for effective and efficient completion of critical tasks, which can be performed manually by analysts or via automation (i.e., Playbooks).
This article provides a high-level overview of Workflow, covering terminology and process flow. It links to separate articles that cover each element of the Workflow process in detail.
The following are key Workflow terms and their definitions:
- Workflow: Workflow typically starts with the creation of a Workflow, which is a codified procedure for the steps to be taken within a Case. For example, a security team might create separate Workflows for phishing analysis, alert triage, and various methods of handling breaches. By codifying these processes in a Workflow, users can reduce the risk of missing critical steps or Artifacts during an investigation, because processes and procedures that were previously stored externally are now captured and can be tied back to threat intelligence in ThreatConnect. Users and administrators with the requisite permissions may create Workflows from scratch or copy a Template available at the System level or in TC Exchange™ to their Organization as a Workflow.
- Template: Templates are System-level Workflows that are available to be copied into and used in Organizations. ThreatConnect provides a set of Workflow Templates via TC Exchange, and System Administrators may install System-level Templates in their ThreatConnect instance. Users and administrators with the requisite permissions can copy a Template available at the System level or in TC Exchange to their Organization as a Workflow.
- Case: A Workflow Case is a single instance of an investigation, inquiry, or other procedure. It contains all required elements of a notable event in a logical structure. Cases can be used to capture key evidence to enable security teams to decide if the Case should be escalated. It is recommended that Cases be created from Workflows, but they may also be created ad hoc.
- Task: A Workflow Task is a step to perform within a Case. Tasks can be manual (i.e., performed by a user) or automated (i.e., performed by a Workflow Playbook), and they can be optional or mandatory.
- Phase: A Phase in Workflow is a logical grouping of Tasks.
- Note: A Note in Workflow is freeform information entered by a user (e.g., in a Case or attached to a Task or Artifact). Notes can be used to provide commentary, directives to another user, additional details, or any information that cannot be captured elsewhere. They enable security teams to journal key data findings in an unstructured format.
- Artifact: An Artifact in Workflow is any piece of data not captured in a Note that provides information relevant to a Case that may be useful to an analyst. If an Artifact maps to a ThreatConnect Indicator type, additional information on the Indicator will be provided, and the Indicator may be added to the user’s Organization if desired. Potential Artifact types include all ThreatConnect Indicator types, as well as a variety of other data types, which are determined by ThreatConnect and the System Administrator of the ThreatConnect instance. Examples of Artifacts include domains, email addresses, log files, emails, PCAP files, screenshots, SIEM event files, and malware documents. Note that not all Artifacts are significant, while others can be loosely correlated to threat intelligence.
- Case Attribute: Case Attributes are key/value data sets that you can add to a Case. These Attributes enrich a Case’s data and aid security teams as they investigate a threat and determine the appropriate escalation path for a Case.
- Case Details: Details about a Case include including time-based information related to the Case, Tags that have been applied to the Case, and a description of the Case.
- Associations: You can associate Indicators, Groups, and other Cases to a Case manually. On the Details screen for Indicators and Groups, you can view associated Cases on the Cases card of the Associations tab; on the legacy Details screen, you can view associated Cases in the Associated Cases section of the Associations card when the card is in table view.
- Potential Associations: Indicators and Groups that are associated to objects associated to a Case or that are Artifacts of a Case are categorized as potential associations.
- Workflow Playbook: A Workflow Playbook is a Playbook called within an automated Task in a Case. Workflow Playbooks are created similarly to regular Playbooks in ThreatConnect. They have a Workflow Trigger, which defines the inputs and outputs of the Playbook.
- Timeline: The timeline in a Case is a recording of actions performed in the Case in chronological order. Timelines enable security teams to quickly observe key events over a span of dates in a Case. They also allow users to drill down into important timeframes in the lifespan of a Case. Each time an action is performed in a Case, a Timeline Event is added automatically to the Case’s timeline. Users may also add Timeline Events to a Case manually.
The Workflow process typically starts with a Workflow, which defines the steps to be taken in each Case using that procedure. If you are using a Workflow created from scratch or a System-level or TC Exchange Template copied to your Organization as a Workflow, then you can skip ahead to the “Create a Workflow Case” step. If you are creating your own Workflow or modifying an existing one, then you should start from the very beginning of the process with “Plan Ahead.”
It is essential to plan ahead before creating a Workflow, just as one would create pseudocode before starting the actual coding process.
First, define the goal of the Workflow—that is, what should Cases that use this Workflow accomplish? In doing so, consider the answers to questions such as the following:
- What is the primary purpose of this Workflow?
- What are some use cases for this Workflow?
- What should be the end product of a Case that follows this Workflow?
- What types or pieces of data should be collected from a Case that follows this Workflow?
- What actions should be taken during a Case following this Workflow?
The answers to some of these questions may overlap, and that’s OK. The point of this exercise is to define the general functionality of the Workflow.
Tasks and Phases
Next, define the steps (i.e., Tasks) that need to be taken throughout the Workflow. Each Task should accomplish one discrete objective (e.g., send an email), but may generate new results (e.g., return the recipient of the email to the Case and store it as an Artifact). Note whether the Task will be accomplished manually or if it is automated (i.e., performed by a Workflow Playbook). Then group the Tasks into Phases. Alternatively, it may make more sense to envision the Phases first and then define the Tasks within those Phases.
List the Artifacts that will be created or collected during a Case that follows the Workflow. These Artifacts may be data such as Indicators (e.g., an email recipient, a URL), the body of an email, a password, a timestamp, or any other piece of information defined as an Artifact within your Organization. It may be helpful to note the Task under which each Artifact is created.
Create a Workflow Playbook
For each automated Task in your Workflow, you will need to create a Workflow Playbook with the required functionality if one does not already exist within your Organization. Make sure to test the Playbook to ensure that all inputs and outputs to the Workflow Trigger are correctly configured and that the Playbook will execute properly.
Create a Workflow
Use the Workflows tab of the Workflow screen to create a new Workflow or modify an existing one in your Organization (e.g., by duplicating an existing Workflow and changing it as desired). When creating a Workflow, you will be adding and configuring all of the Tasks and Phases and defining the Artifacts to be collected.
Alternatively, use the Templates tab of the Workflow screen to copy a Template available at the System level or in TC Exchange to your Organization as a Workflow.
Create a Workflow Case
This step is where the action takes place! Use the Cases tab of the Workflow screen to create and configure a Case, based on a newly created or previously existing Workflow. Then you can view the Case, monitor and assign its Tasks, view associated and potentially associated Indicators, Groups, and Cases; record time-based information related to the corresponding security incident or threat; view Artifacts, Attributes, and Notes added to it; and monitor a timeline of the Case’s development.
The Tasks tab of the Workflow screen serves as a dashboard where users can monitor and track Tasks across all Cases in their Organization.
ThreatConnect® is a registered trademark, and TC Exchange™ is a trademark, of ThreatConnect, Inc.