Building and Activating a Workflow

Building a Workflow

The first step in building a Workflow is to create a new Workflow or open an existing Workflow to update it. The example in this article starts with a new Workflow.

To create a new Workflow, click the New… button at the upper-right corner of the Workflows screen and select New Workflow. The New Workflow screen will be displayed (Figure 1).

• Name: Enter a name for the Workflow. The name should be brief, yet descriptive.
• Default Assignee: Select the name of the user or user group to whom a Case using this Workflow will be assigned by default, or select No Default Assignee if there is to be no default assignee.
• Active: After the Workflow has been fully configured, toggle this slider on to set the Workflow as active.
• Description: Enter a description for the Workflow. This text will be displayed viewing the Workflow on the Workflows screen .

Attributes

Adding an Attribute

Adding Attributes to a Workflow ensures that Cases created using the Workflow are preloaded with Attributes of the selected Attribute Types. To add an Attribute to the Workflow, click the No attributes in this template. Click to add an attribute. text in the Attributes section, or click the New… button at the upper-right corner of the Workflow and select Add Attribute. The Add Attribute drawer will be displayed on the left side of the screen (Figure 2).

• Type: Select a System-level or Organization-level Attribute Type. When a Case is created using the Workflow, a placeholder Attribute of the selected type will be displayed on the Case’s Attributes card. By default, there are no pre-configured Attribute Types for Cases. This means that this dropdown menu will be empty unless Attribute Types for Cases are created in the System or Organization in which a Case will reside.
• Create a new attribute type: Click this link to create a new Organization-level Attribute Type for Cases. The Org Config screen for the Organization in which the Workflow is being created will open in a new browser tab. See Creating Custom Attribute Types for more information about creating custom Attribute Types at the Organization level.
  Note

  Only users with a System role of Administrator can create Attribute Types at the System level. Similarly, only users with a System role of Administrator or Operations Administrator, or an Organization role of Organization Administrator, can create Attribute Types at the Organization level.
  Note

  If you use the Create a new attribute type link to create a custom Attribute Type, you must refresh the Workflows screen in order for it to be displayed in the Type dropdown menu.
  Important

  If you try to add an Attribute to a Workflow when the Attribute Type’s Max Allowed limit has been reached, an error message will be displayed stating that the maximum allowed for the Attribute Type has been exceeded on the current Workflow, and you will be directed to select an alternative Attribute Type or remove an existing Attribute of the maxed-out Attribute Type from the Workflow. See the “Attribute Administration” section for instructions on removing an existing Attribute from a Workflow.
• Description: After an Attribute Type is selected from the Type dropdown menu, the description that was entered when the Attribute Type was created will be automatically displayed.
• Click the SAVE button.

The selected Attribute will be displayed in the Attributes section of the New Workflow screen (Figure 3).

To add another Attribute to the Workflow, click the Click to add an attribute. text displayed below the newly added Attribute, or click the New…button at the upper-right corner of the Workflow and select Add Attribute, and follow the steps in this section.

Attribute Administration

The Attributes section of the New Workflow screen (Figure 3) provides the following information about each Attribute in a Workflow:

• Attribute: The name of the Attribute added to the Workflow.
• Description: A description of the Attribute that was added to the Workflow.
• Actions: Click the vertical ellipsis to display a menu with the following administrative options for each Attribute:
  • Edit: Select this option to change the Attribute’s type.
  • Remove: Select this option to remove the Attribute from the Workflow.
• =: Click this icon and drag the Attribute up or down to adjust its position in the display order, which will be reflected in the Attributes card of a Case that is created using the Workflow.

Tasks

Adding a New Task

To add a Task in the Workflow, click the No tasks in this phase. Click to add tasks to create this phase. text in the Phase 1 row at the bottom of the Workflow, or click the New…button at the upper-right corner of the Workflow and select Add Task. The Create Task drawer will be displayed (Figure 4).

• Name: Enter a name for the Task. The name should describe the goal of the Task (e.g., “Identify Target CVE,” “Prioritize the Incident,” “Review Analytic Standards,”).
• Task Completion Required: Select this checkbox to make completion of this Task a requirement for completion of the Case.
• Description: Provide a detailed description of the Task in the text box, either in plain text or in Markdown.
  Note

  The Description text box supports the Marked library (https://marked.js.org/).
• Phase: Select a Phase for the Task. Because the Task in this example is the first Task in the Workflow, Phase 1 is the only available choice, but as you build out the Workflow, subsequent Tasks may be placed into other Phases.
• Default Assignee: Select the user or user group that will be assigned to the Task. When configuring the Case itself, an assignee other than the default one may be selected. If there is to be no default assignee for the Task, select No assignee.
• Dependency: Select a Task within the Workflow upon which this Task’s completion depends. If the Task has no dependencies, select No Dependency. This dropdown menu will not be displayed if the Task is the first Task being created in the Workflow.
  Note

  For a Case using a Workflow, all Tasks are available for completion at any time unless they have an unfulfilled dependency.
• Due In: Select the unit of time (Days, Hours, or Minutes) and enter the amount of time until the Task is due. For example, if you enter 5 for the amount of time and select Days as the unit of time, the Task will be due 5 days after the Case using the Workflow is created or, for Tasks with a dependency, the Task on which it depends is completed.
• Automated Task: To make this Task an automated Task (i.e., a Task that is accomplished by a Workflow Playbook), toggle this slider on. Otherwise, the Task will be performed manually by a user. This example demonstrates the creation of a manual Task. See the “Adding an Automated Task” section for more information.

Artifact Fields

Artifact Fields define the Artifacts (i.e., the pieces of data) to be collected during the execution of the Task. To add and configure an Artifact Field in a Task, click Addicon in the Artifact Fields section of the Create Task drawer (Figure 4). The drawer will display options for configuring an Artifact Field (Figure 5).

• Variable: Enter a name to identify the Artifact Field (e.g., emailSubject). This name must be unique within a Task (i.e., no two Artifact Fields within the same Task may have the same Variable).
• Label: Enter a brief description of the Artifact Field (e.g., Subject Line of the Email).
• Required: Toggle the slider on to require the collection of the Artifact during the execution of the Task. Toggle the slider off to make the collection of the Artifact optional.
• Allow Multiple Values: Toggle the slider on to allow multiple values to be collected for this Artifact during the execution of the Task. Toggle the slider off to ensure that only one value is collected for this Artifact during the execution of the Task.
• Artifact Type: Select the data type for the Artifact. The potential Artifact types include all Indicator types, as well as a large variety of other data types, which are determined by ThreatConnect and your System Administrator.
• UI Element: This field is automatically populated with the user interface (UI) element—that is, the way in which the user executing the Task is prompted to enter information—that corresponds to the selected Artifact Type. For example, for an Artifact Type of “Address,” the UI Element will be “String,” and for an Artifact Type of “Timestamp,” the UI Element will be “DateTimePicker.”
• Data Type: This field is automatically populated with the data type that corresponds to the selected Artifact Type. For example, for an Artifact Type of “Address,” the Data Type will be “String,” and for an Artifact Type of “Timestamp,” the Data Type will be “TimeStamp.”
  Note

  If the Allow Multiple Values slider is toggled on, then the Data Type will be an Array. For example, for an Artifact Type of “Address,” the Data Type will be “StringArray,” and for an Artifact Type of “TimeStamp,” the Data Type will be “TimeStampArray.”
• Related Intel Type: If the selected Artifact Type maps to a ThreatConnect Indicator type, this field will be populated automatically with that ThreatConnect Indicator type. For example, for an Artifact Type of “File” or “File Hash,” the Related Intel Type is “indicator-File.”
  Important

  This mapping works only for single-value Indicator types. For example, the Registry Key Indicator type contains more than one value (key name, value name, and value type), so there will be no Related Intel Type provided when “Registry Key” is selected as the Artifact Type.
• Click the SAVE button to save the Artifact Field.

The Artifact Field will now be displayed in the Artifact Fields section of the Create Task drawer (Figure 6).

The vertical ellipsis to the right of the Required column provides options for editing and removing an Artifact Field. If you remove an Artifact Field from a Task, any references to the Artifact Field as a variable in automated Tasks will be invalidated.

When multiple Artifact Fields have been added to the Task, you can change the order in which the Artifact Fields are displayed by clicking on the = icon to the left of the Variable column and dragging it to its new location.

Saving a Task

Once the Artifact Fields and all other information for a Task have been entered, click the SAVE button at the lower-right corner of the Create Task drawer to save the Task. The Task will now be displayed in the selected Phase in the Workflow. If the Task was the first Task created in its Phase, a new Phase will be added to the Workflow (Figure 7).

Adding an Automated Task

An automated Task is executed by a Workflow Playbook. To create and configure an automated Task, click the No tasks in this phase. Click to add tasks to create this phase. text in an empty Phase, or click the New…button at the upper-right corner of the Workflow and select Add Task. The Create Task window will be displayed (Figure 4).

Note

If you clicked the New…button to create the Task, the Phase dropdown menu will display “Phase 1” as the default selection. If you clicked the No Tasks in this phase. Click to add tasks to create this phase. text to create the Task, the Phase dropdown menu will display the Phase in which the text was clicked as the default selection.

See the “Adding a New Task” section for instructions on filling out the fields above the Automated Task slider. To add an automated Task, toggle the Automated Task slider on. The Create Task drawer will display all Workflow Playbooks in your Organization (Figure 8).

• Use the search bar displayed above the table to filter Playbooks by name, if desired.
• To create a new Workflow Playbook that will run the automated task, click CREATE NEW PLAYBOOK. The Create Playbook window will be displayed. Enter the name and, if desired, description of the new Workflow Playbook, and click the SAVE button. The Playbook Designer will open in a new browser tab and display the newly created Playbook with a Workflow Trigger added to it. After configuring and activating the Playbook, return to the browser tab with the Create Task drawer open and click REFRESH to refresh the list of Playbooks and display a status of Active for the newly created Playbook.

Select the Workflow Playbook that is to run the automated Task. The Playbook will be displayed at the bottom of the Create Task drawer (Figure 9).

• CHANGE: To select a different Workflow Playbook, click the CHANGE text under the name of the Playbook, and the drawer will display all active Workflow Playbooks again (Figure 8).
• Run automatically after dependent task completion or Run automatically at case creation checkbox: If the automated Task has a dependency, such as in the example in Figure 9, the Run automatically after dependent task completion checkbox will be displayed. Select this checkbox to configure the automated Task to run immediately after the Task on which it is dependent is completed. If the automated Task does not have a dependency, the Run automatically at case creation checkbox will be displayed instead. Select this checkbox to configure the automated Task to run automatically once a Case using this Workflow is opened.
  Note

  Selecting either of these checkboxes will remove the Default Assignee, because the Task will run automatically and thus does not require a user to ensure its execution.
  Note

  If you select the Run automatically after dependent task completion checkbox, you must configure all required inputs for the Workflow Playbook before you can save the Task.

Click INPUTS > at the lower-right corner to display the inputs required by the Workflow Playbook (Figure 10).

• Required input fields: The bottom left of the drawer will display all required inputs for the Workflow Playbook. To ensure that the same inputs are provided to the Workflow Playbook for all Cases run using this Workflow, fill out values for these fields now. If the value for a field can differ from Case to Case, leave the fields blank so that the user will be prompted for their values when the automated Task is run within a Case.
• Available variables: The bottom right of the drawer will display all available variables in your Organization and, if applicable, output variables from the Task on which the automated Task is dependent (i.e., Workflow variables). To view only variables from the Workflow, toggle the Workflow Only slider on. To filter variables by keyword, enter text into the Filter textbox. To populate one of the required input fields with a variable, click on the variable and drag it to the field.

Click OUTPUTS > at the lower-right corner of the Create Task drawer to view the outputs that the Workflow Playbook is configured to produce (Figure 11).

To save the Workflow Playbook’s outputs as Artifacts in Cases created using the Workflow, toggle the Save to Artifact slider on. Fields for configuring the Artifact will be displayed (Figure 12).

• Artifact Name: Enter a name for the Artifact.
• Artifact Type: Select the type of Artifact being saved. Only Artifact types that map to the output’s data type (String in this example) will be displayed in the Artifact Type dropdown.
• Configure Artifact: Select the failure option(s) for the Playbook. Note that no selection is required for this field, and more than one option may be selected. Available options include the following:
  • Output is required: Select this option to make the Playbook fail if it does not produce any output.
  • Fail playbook if artifact validation fails: Select this option to make the Playbook fail if it produces output that fails Artifact validation.

Click the SAVE button to save the Task.

Task Administration

The Tasks section of a Workflow (Figure 7) provides the following information about each Task in the Workflow:

• Type: This column designates whether the Task is manual () or automated ().
• Name: This column provides the name of the Task.
• Assignee: This column provides the name of the default assignee of the Task. The default assignee can be a user or a user group.
• Artifacts: This column provides the number of Artifact Fields or Artifacts produced by the Task. Manual Tasks produce Artifact Fields, and automated Tasks produce Artifacts in the form of outputs of the Workflow Playbook.
• Required: This column displays whether completion of the Task is required.
• Dependency: This column displays the name of the Task on which the Task is dependent, if any.
• Actions: Use the vertical ellipsis menu to display a menu with the following administrative options for each Task:
  • Edit: Select this option to edit the Task. If you rename the Task, any references to the Task’s fields that may have been used in automated Tasks dependent on the renamed Task will be invalidated.
  • Copy: Select this option to create a copy of the Task. A new Task, whose name will be the name of the original Task followed by the word “Copy,” will be placed immediately at the end of the Phase.
  • Remove: Select this option to remove the Task. Removing a Task will invalidate any references to the Task’s fields that may have been used in automated Tasks dependent on the removed Task.
• =: Click on this icon and drag the Task up or down to a new location within the Phase or in a different Phase.

Saving a Workflow

It is recommended to save the Workflow each time you add a Task to it or modify an existing Task. To save the Workflow, click the SAVE button at the lower-right corner of the New Workflow screen. Once the Workflow is saved, the Workflows screen will be displayed, showing all available Workflows in your Organization, including the newly saved Workflow. Select that Workflow to continue working on it.

After you save a Workflow for the first time, it is assigned a unique identification number (e.g., Workflow Template #7).

Activating a Workflow

To activate a Workflow, toggle the Active slider at the upper-right corner of the Workflow on, as in Figure 13.

After toggling the Active slider on, click the SAVE button at the bottom right. If the SAVE button is not clicked, the Workflow will not be activated.

ThreatConnect^® is a registered trademark of ThreatConnect, Inc.

20090-04 v.06.C