This article covers about outbound policies and the steps to set up outbound policies on Resolution Intelligence Cloud.
Continuous monitoring safeguards the entities from cyber threats. Any suspicious activity detected during continuous monitoring of entities on the Resolution Intelligence Cloud generates signals. These signals are converted to situations and then to ActOns. You can notify the customers when there is any situation or ActOn in the entities of a particular tenant by creating a case or ticket in ITSM tools such as JIRA, ServiceNow, or security tool such as Chronicle SOAR. For this, you must integrate one of these tools to which Situations or ActOns generated should be sent as tickets.
You can send every Situation/ActOn generated on the platform to the integrated ITSM or security tool (or) control the Situations or ActOns sent from Resolution Intelligence Cloud to your ITSM tool using Outbound policies.
The Outbound policies are a list of rules set to control the outgoing tickets based on the conditions defined during the ITSM or security tool configuration. For example, to send the P0 priority ActOns or situations generated for entities in the Chronicle, you must set the priority to P0 and source to Chronicle. Once this rule is set, the platform only sends Situations or ActOns with priority P0 and originated from Chronicle to your integrated ITSM tool by creating a ticket.
Note: The Outbound policies are applicable for ITSM (JIRA, ServiceNow) and Security (Chronicle SOAR) integrations.
Prerequisites
You can only create outbound policies for the enabled security and ITSM integrations on the platform. Once the integration is enabled, these configurations are necessary to create outbound policies:
- Configure authentication details to integrate with the data source
- Configure Tenant Mapping
Roles Required
Users with these roles can only create outbound policies:
- Owner
- Global Admin
- A user with manager role
- Configuration Manager
Setting up Outbound Policies
Use this procedure to set up outbound policies for JIRA, ServiceNow, and Chronicle SOAR integrations. Setting up the policies will allow you to send the generated ActOns or Situation from the platform to the integrated ITSM or security tool as a ticket or case.
To set up the outbound policies:
- Log in to Resolution Intelligence platform with your credentials.
- Click the gear icon at the top (or) hover over the hamburger icon at the top left corner.
- Click Configurations from the left navigation menu.
- Click Integrations under Data Ingestion in the left navigation menu.
5. Navigate to ITSM or Security integrations. Selecting ITSM displays JIRA and now and selecting Security displays Chronicle SOAR. In this example, select JIRA from the ITSM tool.
6. Enable the integration and complete the details in Authentication and Tenant Mapping.
7. Click the Outbound Policy and then, click Add Policy. The Add policy screen opens.
8. Enter a name and description (optional) for Outbound Policy.
9. Select the data source for which you want to configure the outbound policies. Possible values:
-
-
- ActOns
- Situations
-
9. Clear the Match all check box to specify a condition instead of sending all the situations/ActOns to the integrated tool as tickets or cases. In this example, JIRA.
Construct the conditional expression for your outbound policy under the Specify condition section. Select a field and operator from the drop-down lists. For the value, select a value from the drop-down list or enter it manually, based on the selected field type. The condition is used to determine the records to which the rule is applicable. A condition expression can consist of several phrases, joined by AND (or) OR operators.
For each phrase, select a field, operator, and value. Click +Add Condition to add another condition in a row. Use the parentheses and AND/OR options to join the phrases together to form a condition expression.
Note:
You can do the following:
-
- Set the conditional expression only if the Match all check box is cleared.
- Turn ON the Negate toggle corresponding to the condition to allow data to be sent to ITSM tool only when this conditional expression is not true.
- Turn ON the Negate group to allow data only when the set of conditions defined within a group is not true.
10. Click Submit.
Viewing an outbound policy
To view an outbound policy,
- Click the gear icon at the top else rest the pointer over the hamburger icon at the top left corner.
- Click Configurations, from the left navigation menu.
- Click Integrations under Data Ingestion in the left menu.
- Navigate to ITSM or Security integrations. For example, Jira.
- Click the Outbound Policy.
- Click the desired policy or scroll right and click the three dots, on the policy listing page.
A drop-down list opens. - Click View to open and view desired outbound policy.
Editing an outbound policy
To edit an outbound policy:
- Click the gear icon at the top else rest the pointer over the hamburger icon at the top left corner.
- Click Configurations, from the left navigation menu.
- Click Integrations under Data Ingestion in the left menu.
- Navigate to ITSM or Security integrations. For example, JIRA.
- Click the Outbound Policy.
- Scroll right and click the three dots on the Policy listing page.
A drop-down list opens. - Click Edit. An editing window opens.
- Modify the outbound policy details in the form.
- Click Update to save the changes.
Deleting an Outbound Policy
To delete an outbound policy,
- Click the gear icon at the top else rest the pointer over the hamburger icon at the top left corner.
- Click Configurations from the left navigation menu.
- Click Integrations under Data Ingestion in the left menu.
- Navigate to ITSM or Security integrations. For example, Jira or Chronicle SOAR.
- Click the Outbound Policy.
- Scroll right and click the ellipses icon on the policy listing page.
A drop-down list opens. (or) - Select the check box corresponding to each policy that you would prefer to remove.
- Click Delete.
The outbound policy will be removed from the listing page.
Deactivating an outbound policy
Use this procedure to deactivate an outbound policy. When you deactivate a policy, you cannot create a ticket or case in the integrated ITSM or security tool despite an ActOn or Situation generated on the platform meets the conditions defined in the rule.
To deactivate an outbound policy,
- Click the gear icon at the top else rest the pointer over the hamburger icon at the top left corner.
- Click Configurations from the left navigation menu.
- Click Integrations under Data Ingestion in the left menu.
- Navigate to ITSM or Security integrations. For example, JIRA or Chronicle SOAR.
- Click the Outbound Policy.
- Scroll right and click the ellipses icon on the policy listing page.
A drop-down list opens. (or) - Select the check box corresponding to each policy that you would prefer to deactivate.
- Click Deactivate. A prompt appears to deactivate the policy.
- Select Yes. The outbound policy will be deactivated.
Comments
0 comments
Please sign in to leave a comment.