The Deployment Wizard guides you step-by-step to quickly adopt your use case.
The Deployment Wizard can be used to set up your use case for the Malware Investigation and Response content pack and the Phishing content pack. In order to work with your content pack you need to set up your integrations. The Deployment Wizard guides you through:
Configuring the integrations that will be used to fetch events (fetching integrations). These events will be mapped as incidents.
Configuring the main playbook and its input parameters. For example, the Setup Malware playbook pane opens showing the recommended primary playbook for the incident type you selected when configuring the fetching integration. The playbook configuration includes all the input parameters to configure that will change the playbook behavior, for example, whether to use sandbox detonation or whether to perform isolation response. You can open the playbook by clicking the link on the bottom.
Configuring any supporting integrations. such as an email integration
The default fetching integration for your content pack depends on which fetching integration(s) are installed. For example:
Content Pack | Default Fetching Integration in Order of Priority |
---|---|
Malware Investigation and Response |
|
Phishing |
|
Prerequisites
To access the Deployment Wizard for the first time, you need to first install or update your Malware Investigation and Response content pack or your Phishing content pack in Marketplace. The Deployment Wizard tab appears in Marketplace after the content pack installation or update is completed.
For example:
For the Malware Investigation and Response content pack, you need at least one incident fetching content pack (mandatory). You can also optionally install sandbox, messaging, case management, and data enrichment and threat intelligence content packs.
For the Phishing content pack, you need at least one email gateway content pack (mandatory). You can also optionally install sandbox, EDR systems, network devices, email security gateways, mail sender, and data enrichment and threat intelligence content packs.
How to set up your use case with the Deployment Wizard
In Marketplace, select the content pack for your use case (for example, Malware Investigation and Response or Phishing) and click Install or Update (if the pack is already installed).
In the Select Content Packs window, select one or more content packs from the required categories. You can also install other supportive content packs from other categories if needed. These items will be automatically be added to the cart.
Click Continue and then Install or Update.
When the content pack finishes installing or updating, click Refresh content.
The Deployment Wizard tab appears.
Note
After you start running your use case you can return to this tab and make changes to the configurations, such as your integration’s credentials or playbook parameters.
Click Let’s Start in the small dialog box that appears next to the Deployment Wizard tab.
The tab opens showing the use case deployment flow.
Step 1: Fetching Integration - Click the displayed fetching integration. If the integration is new, select New instance. If you want to use an existing instance, select it from Update existing instance. The integration will stay disabled until you complete all steps of the wizard.
Note
You must define the incident type in order to set the playbook in the next step.
A list of What needs to be done guides you through the required fetching integration instance settings configurations. Scroll down to see the complete list.
After you save your settings, the wizard initiates a test connection. If the connection succeeds, the Fetching Integration step turns green and moves to the next step (Set Playbook).
Step 2: Set Playbook - Select Configure Playbook & Parameters.
Note
The wizard displays the recommended playbook. If for the fetching integration setup you chose an incident type that uses a different playbook from the recommended one, the incident type will be detached.
Click Done.
Step 3: Supporting Integrations - Configure any installed supporting integrations in the content pack.
If a supporting integration is already installed and connected, it appears with a green check. Otherwise, click the integration to configure it.
Note
After you save the settings, the integration instance is automatically enabled.
Step 4: What’s Next - Select Turn on Use Case to start the fetching process and running the playbooks and scripts.