The Deployment Wizard guides you step-by-step to quickly adopt your use case.
The Deployment Wizard significantly reduces the time required to set up your use case.
It guides you through the process of setting up your content pack for your specific use case, including:
Configuring the fetching integration.
Configuring the main playbook.
Configuring any supporting integrations.
Note
To access the Deployment Wizard for the first time, you need to first install your content pack in Marketplace. The Deployment Wizard tab appears in Marketplace after the content pack installation is complete.
Currently, only the Malware Investigation and Response content pack supports the Deployment Wizard.
Prerequisites
Before installing your content pack, you need to install the content packs containing relevant supporting integrations.
For example, for the Malware Investigation and Response content pack, you need one or more incident fetching content packs. You can also optionally install sandbox, messaging, case management, and data enrichment and threat intelligence content packs.
In Marketplace, select the content pack for your use case (for example, Malware Investigation and Response) and click Install.
The Select Content Packs window opens, where you select the items to include for the pack (for the mandatory items you must select at least one). These items are automatically added to the cart.
Note
If an item is already installed, it will automatically be checked off and grayed out.
Click Continue.
Click Install to install the content pack.
When the content pack finishes installing, click Refresh content.
The DEPLOYMENT WIZARD tab appears.
Note
After you start running your use case you can return to this tab and make changes to the configurations, for example to the credentials or to the playbooks used.
If this is the first time you are installing the content pack, a small popup window appears next to the DEPLOYMENT WIZARD tab where you click Let’s Start to start the wizard.
Otherwise, click the DEPLOYMENT WIZARD tab.
The tab opens showing the use case deployment flow.
Step 1: Fetching Integration - click the displayed fetching integration. You have the option to update it or to create a new instance. The integration will stay disabled until you complete all steps of the wizard.
Note
For Malware if the Palo Alto Networks Cortex XDR - Investigation and Response integration is installed it appears as the default fetching integration.
If CrowdStrike Falcon is installed (and not Palo Alto Networks Cortex XDR - Investigation and Response), it will appear as the default fetching integration. Otherwise, Microsoft Defender for Endpoint will appear (if it is installed).
Note
Refreshing the page can resolve issues when running the wizard.
To update an existing integration: select Update existing instance and click Next. If more than one integration instance exists, choose the one you want to update.
To create a new instance: Select New instance and click Next.
A list of What needs to be done guides you through the required fetching integration instance settings configurations. Scroll down to see the complete list. Parameters that have default settings already in place can be left as-is.
After you save your settings, the wizard initiates a test connection. If the connection succeeds, the Fetching Integration step turns green and moves to the next step (Set Playbook).
If the connection fails, the step turns red and hovering over it displays a message indicating the reason for connection failure.
Step 2: Set Playbook - select Configure Playbook & Parameters.
The Setup Malware playbook pane opens showing the recommended primary playbook for the incident type you selected when configuring the fetching integration.
The playbook configuration includes all the input parameters to configure that will change the playbook behavior, for example whether to use sandbox detonation or whether to perform isolation response. You can open the playbook by clicking the link on the bottom.
Note
If you choose a different playbook from the default and the incident type is a system type, it will be detached as part of assigning a new playbook.
Click Done.
Step 3: Supporting Integrations - configure any installed supporting integrations in the content pack.
If a supporting integration is already installed and connected, it appears with a green check. Otherwise, click the integration to configure it.
Note
After you save the settings, the integration instance is automatically enabled.
Step 4: What’s Next - select Turn on Use Case.
Note
Your instance is disabled until you finish the wizard. Clicking Turn on Use Case starts the fetching process and runs the playbooks and automations.