The Deployment Wizard guides you step-by-step to quickly adopt your use case.
The Deployment Wizard significantly reduces the time required to set up your use case. It guides you through the process of setting up your content pack for your specific use case, including:
Configuring the fetching integration.
Configuring the main playbook and its input parameters.
Configuring any supporting integrations.
When browsing for content packs, you can filter by those that support the Deployment Wizard, such as Malware Investigation and Response.
To access the Deployment Wizard for the first time, you need to first install or update your content pack(s) in Marketplace. The Deployment Wizard tab appears in Marketplace after the content pack installation or update is completed.
Before installing or updating your content pack, you are prompted to install the content packs containing relevant supporting integrations (if not already installed).
For the Malware Investigation and Response content pack, you need at least one incident fetching content pack (mandatory). You can also optionally install sandbox, messaging, case management, and data enrichment and threat intelligence content packs.
For the Phishing content pack, you need at least one email gateway content pack (mandatory). You can also optionally install sandbox, EDR systems, network devices, email security gateways, mail sender, and data enrichment and threat intelligence content packs.
In Marketplace, select the content pack for your use case (for example, Malware Investigation and Response or Phishing) and click Install or Update (if the pack is already installed).
When browsing for content packs, you can search for content packs that contain the Deployment Wizard by selecting Wizards under Content Pack includes.
The Select Content Packs window opens, where you select the items to include in the pack (for the mandatory items you must select at least one). These items are automatically added to the cart.
If an item is already installed, it will automatically be checked off and grayed out and will not be listed in the cart checkout list, unless an update is required).
Click Continue and then Install or Update the content pack.
When the content pack finishes installing or updating, click Refresh content or refresh your web page.
The Deployment Wizard tab appears.
After you start running your use case you can return to this tab and make changes to the configurations, for example, your integration’s credentials or playbook parameters.
A small popup window appears next to the Deployment Wizard tab where you click Let’s Start to start the wizard.
The tab opens showing the use case deployment flow.
What needs to be done actions for each step guide you through setting up your use case.
Step 1: Fetching Integration - click the displayed fetching integration. If the integration is new, select New instance. If you want to use an existing instance, select it from Update existing instance. The integration will stay disabled until you complete all steps of the wizard.
You must define the incident type in order to set the playbook in the next step.
The default fetching integration that appears depends on which fetching integration(s) are installed. For example:
Display Order for Default Fetching Integration
Malware Investigation and Response
Palo Alto Networks Cortex XDR - Investigation and Response
Microsoft Defender for Endpoint
EWS v2 (Make sure you also install the Microsoft Exchange On-Premise pack)
O365 Outlook Mail (Using Graph API)
Gmail Single User
O365 Outlook Mail Single User (Using Graph API)
Refreshing the page can resolve issues when running the wizard.
To update an existing integration: select Update existing instance and click Next. If more than one integration instance exists, choose the one you want to update.
To create a new instance: Select New instance and click Next.
A list of What needs to be done guides you through the required fetching integration instance settings configurations. Scroll down to see the complete list.
After you save your settings, the wizard initiates a test connection. If the connection succeeds, the Fetching Integration step turns green and moves to the next step (Set Playbook).
Step 2: Set Playbook - select Configure Playbook & Parameters.
For example, the Setup Malware playbook pane opens showing the recommended primary playbook for the incident type you selected when configuring the fetching integration.
The playbook configuration includes all the input parameters to configure that will change the playbook behavior, for example, whether to use sandbox detonation or whether to perform isolation response. You can open the playbook by clicking the link on the bottom.
The wizard displays the recommended playbook. If for the fetching integration setup you chose an incident type that uses a different playbook from the recommended one, the incident type will be detached.
Step 3: Supporting Integrations - configure any installed supporting integrations in the content pack.
If a supporting integration is already installed and connected, it appears with a green check. Otherwise, click the integration to configure it.
After you save the settings, the integration instance is automatically enabled.
Step 4: What’s Next - select Turn on Use Case.
Your instance is disabled until you finish the wizard. Clicking Turn on Use Case starts the fetching process and runs the playbooks and scripts.