TQO - Building Workflows Transcript 1 00:00:11.094 --> 00:00:14.055 ThreatQ Orchestrator Workflows take your identified triggers 2 00:00:14.931 --> 00:00:17.017 in the form of Data collections 3 00:00:17.225 --> 00:00:21.479 and enriches your selected threat intelligence data using TQO actions. 4 00:00:22.522 --> 00:00:24.607 You will need the following to build a workflow 5 00:00:25.025 --> 00:00:31.281 a TQO license, a data collection, and at least one TQO action installed on your instance. 6 00:00:31.906 --> 00:00:34.617 Actions can be downloaded from the ThreatQ Marketplace. 7 00:00:35.410 --> 00:00:38.038 To begin, click on the Orchestrator menu option. 8 00:00:38.580 --> 00:00:43.626 From the Orchestrator page, you can see an overview of your workflows and important details, such as 9 00:00:44.335 --> 00:00:48.923 Whether or not a workflow is enabled, the name of the workflow, and the last time a workflow ran. 10 00:00:49.716 --> 00:00:50.967 Click on Add Workflow. 11 00:00:52.510 --> 00:00:55.472 Enter a name for the workflow and an optional description. 12 00:01:01.061 --> 00:01:03.813 Select a data collection for the workflow to use. 13 00:01:05.065 --> 00:01:05.982 Click on Create. 14 00:01:07.734 --> 00:01:09.277 The workflow builder will open. 15 00:01:09.778 --> 00:01:12.572 The blue node represents the data collection you selected. 16 00:01:13.031 --> 00:01:18.036 Clicking on this node will reveal the number and types of objects included in the data collection. 17 00:01:19.037 --> 00:01:22.665 It is important to note that if the data collection contains object types 18 00:01:22.665 --> 00:01:27.545 that are not compatible with the action, those objects will be skipped when performing the run. 19 00:01:28.129 --> 00:01:30.465 The green node represents the workflow itself. 20 00:01:31.216 --> 00:01:34.177 Clicking on this node will display workflow settings such as 21 00:01:34.177 --> 00:01:39.516 the data collection selected, run schedule, as well as notification and debug options. 22 00:01:40.016 --> 00:01:42.977 Click on the green workflow node if you haven't done so already. 23 00:01:43.520 --> 00:01:45.730 Select a run schedule for the workflow. 24 00:01:48.441 --> 00:01:52.445 You can also trigger a manual run from here, using the Run Now button. 25 00:01:52.946 --> 00:01:56.574 This option will initially be grayed out until the workflow has been enabled. 26 00:01:57.742 --> 00:01:59.285 Click on the Save Changes button. 27 00:02:02.163 --> 00:02:04.415 Click on the plus icon to select an action. 28 00:02:05.959 --> 00:02:08.586 Select an action from the dropdown menu provided. 29 00:02:09.003 --> 00:02:12.966 The action’s accepted object types and default configurations will load. 30 00:02:13.383 --> 00:02:18.888 These settings are pulled from the action’s default configurations set under the My integrations page. 31 00:02:19.347 --> 00:02:24.644 Updating action configurations from the workflow builder will not affect the default configurations. 32 00:02:24.936 --> 00:02:28.648 Nor will it affect other workflow instances using the same action. 33 00:02:29.315 --> 00:02:35.113 Additionally, updating the default configuration settings for an action from the My integrations page 34 00:02:35.405 --> 00:02:39.075 will not affect actions that have already been deployed in a workflow. 35 00:02:39.659 --> 00:02:45.165 Review the configuration settings, make any necessary updates, and click on save changes. 36 00:02:45.748 --> 00:02:48.877 The action name and logo will now appear in the node view. 37 00:02:49.460 --> 00:02:55.884 At this point, you can add additional actions but you must click save changes in between adding each action. 38 00:03:05.768 --> 00:03:11.232 Once you have completed adding your actions, click on the enable toggle switch to enable the workflow . 39 00:03:11.774 --> 00:03:17.572 If you selected a run schedule, the workflow will kick off its first run and then follow your set schedule. 40 00:03:18.281 --> 00:03:24.204 You can view run details from the Activity Log tab, located to the top-left of the workflow builder screen. 41 00:03:24.746 --> 00:03:30.752 The activity log allows you to review run details and information on any enriched data the action has ingested.