Change the order of flow execution
-
- UpdatedJan 30, 2025
- 1 minute read
- Yokohama
- Security Operations Integration Reference
Integration capability implementations specify the flow to be executed. In the base system, flows are executed sequentially, in the order specified in the implementation. You can change the order as needed.
Before you begin
Role required: sn_sec_cmn.write
Procedure
Related Content
- Security Operations Integration- Block Request capability
The Block Action capability blocks observables associated with a security incident on a firewall, web proxy, or other control point using implementation flows. This capability is used during incident response investigations to contain an identified threat.
- Security Operations Integration- Email Search and Delete capability
The Email Search and Delete capability returns the number of threat emails from an email server search and, optionally, returns details for each email found. After the email search is completed, you can delete the emails.
- Security Operations Integration- Enrich CI capability
The Enrich CI capability allows you to enrich data for configuration items associated with a security incident.
- Security Operations Integration- Enrich Observable capability
The Enrich Observable capability allows you to enrich observables with additional information from a variety of sources using implementation flows. This capability is used during incident response investigations to contain an identified threat.
- Security Operations Integration- Get Network Statistics capability
The Get Network Statistics capability retrieves a list of active network connections from a host or endpoint. It can be used for incident enrichment during investigations. This capability is triggered automatically when a configuration item is added to a security incident.
- Security Operations Integration- Get Running Processes capability
The Get Running Processes capability retrieves a list of running processes on a configuration item (CI) from a host or endpoint. This capability is used for incident enrichment during investigations.
- Security Operations Integration- Isolate Host capability
The Isolate Host capability restricts system connections to other devices. Isolate host is executed against a configuration item (CI).
- Security Operations Integration- Publish to Watchlist capability
The Publish to Watchlist capability adds observables and indicators associated with a security incident to a third-party watchlist that monitors for security events and generates alerts. This capability is used as part of incident response during investigations.
- Security Operations Integration- Sightings Search capability
The Sightings Search capability accepts a set of observables, finds any integrations that support a Sightings Search, then executes these searches.
- Security Operations Integration - Threat Lookup capability
The Threat Lookups capability performs threat intelligence lookups to determine whether one or more observables are associated with known security threats.