STORM comes with built-in processes for event triage, incident handling and task handling. All processes are invalid by default, and they have to be activated by an administrator first. However, each process has dependencies like ACLs, dynamic fields, queues, ticket notifications, ticket types, which have to be activated before the process itself has been activated.
This chapter explains how to make the processes work.
Setup
The processes can be activated in the Process Management screen of the administrator interface. All processes are inactive by default.
To activate the Event Triage process:
-
Go to the Queues screen of the administrator interface.
-
Set the
Incidents
queue to valid. -
Go to the Dynamic Fields screen of the administrator interface.
-
Set the following dynamic fields to valid.
EventClassification IncidentTicket ProcessHelper
-
Go to the Access Control Lists (ACL) screen of the administrator interface.
-
Set the following ACLs to valid.
Event 001 - Forbid Actions Event 001 - Forbid ActionsLimit DF Event Classification
-
Deploy all ACLs.
-
Go to the Process Management screen of the administrator interface.
-
Set the
Event Triage
process to valid. -
Deploy all processes.
To activate the Incident Handling process:
-
Go to the Types screen of the administrator interface.
-
Set the following types to valid.
Event Incident Task
-
Go to the Dynamic Fields screen of the administrator interface.
-
Set the following dynamic fields to valid.
AnalysisResult EnisaSecurityIncidentClassification ISO KRITISSituationAssessment KRITISTaxonomy LessonsLearned ProcessHelper RemediationAdvice SendAdvice TaskBody TaskName TaskRecipient TaskResult TaskSubject TechContact TLP
-
Go to the Ticket Notifications screen of the administrator interface.
-
Set the following ticket notifications to valid.
Incident: Send Mitigation & Remediation Advice - TLP Amber Incident: Send Mitigation & Remediation Advice - TLP Green Incident: Send Mitigation & Remediation Advice - TLP Red Incident: Send Mitigation & Remediation Advice - TLP White
-
Go to the Access Control Lists (ACL) screen of the administrator interface.
-
Set the following ACLs to valid.
Incident 001 - Hide Actions and Dialogues Incident 002a - Show Next Button in Analysis phase step 1 Incident 002b - Show Next Button in Analysis phase step 2 Incident 003a - Show Next Button in Mitigation phase step 1 Incident 003b - Show Next Button in Mitigation phase step 2 Incident 004 - Show close button Incident 005 - Hide Kritis Taxonomy Incident 005 - Show Kritis Taxonomy
-
Deploy all ACLs.
-
Go to the Process Management screen of the administrator interface.
-
Set the
Incident Handling
process to valid. -
Deploy all processes.
To activate the Task Handling process:
-
Go to the Types screen of the administrator interface.
-
Set the following types to valid.
Incident
-
Go to the Dynamic Fields screen of the administrator interface.
-
Set the following dynamic fields to valid.
TaskName TaskResult
-
Go to the Access Control Lists (ACL) screen of the administrator interface.
-
Set the following ACLs to valid.
Task 001 - Hide Actions
-
Deploy all ACLs.
-
Go to the Process Management screen of the administrator interface.
-
Set the
Task Handling
process to valid. -
Deploy all processes.
Console Command
There is a console command to list, enable and disable the process groups. Execute the command with the --help
option for detailed instructions about how it works.
$ bin/otrs.Console.pl Maint::STORM::ProcessGroups::Toggle --help
Enable/Disable a process group and its dependencies
Usage:
otrs.Console.pl Maint::STORM::ProcessGroups::Toggle [--name ...] [--list] [--enable] [--disable]
Options:
[--name ...] - Name of the process group (all if omitted).
[--list] - List all process groups.
[--enable] - Enable the process group.
[--disable] - Disable the process group.
[--help] - Display help for this command.
[--no-ansi] - Do not perform ANSI terminal output coloring.
[--quiet] - Suppress informative output, only retain error messages.
Usage
We developed the processes based on best practices. We also know that every customer has different workflow, so it might be that the processes have to be customized before deploy them and use them in production. Please consult with our experts before activating a process.
The general usage of processes are explained in the Administrator Manual. For detailed usage of the process above ask the Customer Solutions Team.