On-demand orchestration

During Security Incident Response analysis, a security analyst may want to perform a task that is driven by a security incident workflow. For example, run a process dump on a particular CI. This can be accomplished with on-demand orchestration.

Each registered Security Operations application includes several on-demand orchestrations in the base system. You can define custom on-demand orchestrations, as needed.

On-demand orchestration can be invoked from a choice list at the bottom of the following lists and forms in Security Incident Response:
  • Security Incident form
  • Security Incident list
  • Security Incident Observables related list
  • Configuration Items related list
Note: A property in Security Support Common called sn_sec_cmn.use_on_demand_tbl_as_whitelist defines which workflows are available for on-demand execution.

If the property is set to true, only workflows specified in the On-Demand Orchestration [sn_sec_cmn_on_demand_orchestration] table are available.

If the property is set to false (default), all workflows for applications configured in the SecOps Application Registry are available.

Depending on the setting of the property, the list of workflows available is tailored to the type of information being analyzed.