It seems like your browser didn't download the required fonts. Please revise your security settings and try again.

Automated Workflows

  • Last updated on

Automated workflows enable you to take actions when certain events occur – automatically. You set up a workflow, then Barracuda Forensics & Incident Response automatically follows through, taking the actions you specify, without requiring further interaction from you. 

Automated workflows consist of the three components, along with their possible values.

workflow.png

 

  • Triggers – The activity that sets the workflow in motion. 
    • User-reported Email submitted
      Prerequisites for this trigger:
      • Your organization must be using the Barracuda Outlook add-in for reporting questionable emails.
      • An end user in your organization must report an email by using the Barracuda Outlook add-in. 
    • Additional triggers will be added over time
  • Conditions Optional. The status or value that must be met to continue the workflow. Based on the condition, the workflow travels through different paths. The conditions displayed are based on the trigger type.  
    • Reported by – User who reported the suspicious email.
    • Number of mailboxes affected – How many mailboxes are affected by the reported email. Note that this number might increase if you are still experiencing a malicious email attack. 
    • Number of users reported – How many users reported this same email. This value equals 1 for the first reporter, then increases by 1 for each user who reports an email with the same sender and subject. 
    • Sender email – Sender of the user-reported email.
    • Subject – Subject of the user-reported email.
  • Actions – The outcome of the workflow. Specify the details of each of these actions in the settingsgearIcon.png. Refer to Automated Workflows Settings, later in this article. 
    • Create incident – Creates an incident, based on the trigger and condition.
    • Create email notification – Alerts administrators about this trigger, using the email specified in Automated Workflows Settings. 
    • Create Slack notification – Alerts administrators about this trigger, using the Slack webhook specified in the Automated Workflows Settings. 

Triggers and Actions are required when creating an automated workflow; Conditions are not required. As shown in Figure A below, you can create a workflow that just has a Trigger, like a User-reported email submitted, and an action, like Create Slack notification. So whenever a new user-reported email is submitted – regardless of the subject, sender email, or other values – an alert notification is sent. 

Figure A
Automated Workflow with No Conditions

Figure B
Automated Workflow with Multiple Actions

Figure C
Automated Workflow with Multiple Conditions and Actions

noConditions2.pngmultipleActions2.png

multipleActions2x2.png

 

You can optionally specify multiple values per component in a single workflow. For example, as shown in Figure B above, you can create a workflow which requires triggers for both the sender email and email subject. Then, you can choose to have both an action to create an incident and another action to send a Slack notification. Figure C shows both multiple conditions and multiple actions. 

Specifying AND vs OR Conditions

When creating workflow with two or more conditions, you might want to specify whether individual conditions can set off an action (OR scenario) or whether a combination of conditions is required (AND scenario) before an action can be taken.

Figure D below shows an OR scenario, where either of the conditions' being met is enough to set the action in motion. You might think of OR scenarios as a parallel flow. When you create workflows, they are created as OR scenarios by default. 

Figure E below shows an AND scenario, where both conditions must be met before the action can be taken. You might think of AND scenarios as a serial flow. When you create workflows and want to change from the default OR scenario to an AND scenario, you must rearrange the nodes, delete some of the original connections, and draw new connections. Check that the nodes in your workflow are all connected and will produce your desired effect. If, for example, you have competing conditions, the actions in your workflow will never be taken. 

The examples in Figure D and Figure E are relatively simple. You can create much more complex workflows with combinations of AND and OR scenarios.

Figure D

OR Scenario – Only One Condition Must Be Met

Figure E

AND Scenario – Both Conditions Must Be Met

OR.pngAND.png

Creating an Automated Workflow

To create an automated workflow:

  1. Open Barracuda Forensics & Incident Response. 
  2. From the menu in the upper left corner, select Automated Workflows
  3. On the Automated Workflows page, click Create Workflow
  4. Provide a unique name for the workflow. 
  5. Optional. Provide a description for the workflow.
  6. In the Event Types menu, select Triggers. Select a trigger from the list. Click the plus (+) icon. The trigger appears in the graphical workflow space. 
    If needed, repeat this step for additional triggers in this workflow. 
  7. Optional. In the Event Types menu, switch your selection to Conditions. Select a condition from the list. Specify an operator (Equals, Does not equal, Greater than, Less than), then specify the value in the Condition Details field. Click the plus (+) icon. The condition appears in the graphical workflow space. 
    For example, you might specify that the Number of mailboxes affected is Greater than 10.
    If needed, repeat this step for additional conditions in this workflow. 
  8. In the Event Types menu, switch your selection to Actions. Select an action from the list. Click the plus (+) icon. The action appears in the graphical workflow space. 
    If needed, repeat this step for additional actions in this workflow. 
  9. Review the graphical representation of the workflow. Triggers are shown in the top level, followed by Conditions, with Actions on the lowest level. 
    workflow.plain.png
    Take the following actions, if needed:
    • Check connections – Check that connections exist between the various parts of your workflow. If your workflow actions are not connected to the rest of your workflow, they can not be taken. 

    • Rearrange components – Click and drag components to new locations.
    • Add components – Repeat the step above to add one or more new components.
    • Change the value for a condition – Remove the condition component, then add a new condition component with the desired value.   
    • Remove connections – If you are changing from an OR to an AND scenario, be sure to remove any unneeded connections. Click the connection to select it, then click the trash iconAWdelete.pngin the toolbar. 

    • Remove a workflow component – Click the component to select it, then click the trash iconAWdelete.pngin the toolbar. 
    • Zoom in/out/re-center – Use the +/- icons in the toolbar to zoom in and out on your workflow. To re-center the workflow, click AWcenter.png in the toolbar.
  10. Click Create Workflow
  11. The workflow appears in table on the Automated Workflows page. It is ready to launch whenever it is triggered. 

Reviewing and Taking Action with Automated Workflows

To review and take action on automated workflows: 

  1. Open Barracuda Forensics & Incident Response. 
  2. From the menu in the upper left corner, select Automated Workflows
    The Automated Workflows table displays all automated workflows created for your account. 
    For each automated workflow, you can view the following information: 
    • Created on – Date the admin created the workflow. 
    • Workflow Name – Name given to the workflow by the creator.
    • Edited By – The last person to edit the workflow. 
    • Times Triggered – How many occurrences of the trigger event have occurred.
    • Conditions Checked – How many times the conditions in the workflow were checked. In a workflow like that shown in Figure B above, where the number of conditions and triggers are equal, the Conditions Checked value equals the Times Triggered value. In a workflow like that shown in Figure C above, there are twice as many conditions as triggers, so the Conditions Checked value should be twice that of the Times Triggered value. 
    • Actions Taken – How many times the action(s) for this workflow have been completed.  In a workflow like that shown in Figure A above, where the number of triggers and actions are equal, the Actions Taken value equals the Times Triggered value. In a workflow like that shown in Figure B above, there are twice as many actions as triggers, so the Actions Taken value should be twice that of the Times Triggered value. 
    To edit a workflow, click the pencil pencil.png icon in the Actions column.
    To disable a workflow, click the pausepause.png icon in the Actions column. The workflow disappears from the Automated Workflows table and is available when you click Show Disabled
    To view details about the workflow, click the clipboard clipboard.png icon in the Actions column.
Viewing and Reactivating Disabled Automated Workflows

To view disabled workflows, click Show Disabled. You can edit workflows in the disabled state.

To re-enable a workflow on this list, click the play play.png icon in the Actions column. Click Show Enabled to view it. 

Automated Workflows Settings

Click the gear gearIcon.png in the upper right corner of the Automated Workflows page to update the settings for all Automated Workflows. 

  • Incident Action – Choose an action for incidents created from the workflows. The incidents can either move emails from users' mailboxes into their junk folders or delete the mails entirely. 
    Your Continuous Remediation setting for manually creating incidents applies to incidents created through Automated Workflows. You can enable or disable Continuous Remediation for all incidents created through Automated Workflows. For more information, refer to Continuous Remediation.
  • Email Notification – If you want to use the same Security Team Email you use for other Barracuda Forensics & Incident Response notifications, select Yes . Otherwise, select No and enter a new Security Team Email for a single person or distribution list. 
  • Slack Notifications – To receive Slack notifications, you must specify the webhook for Slack.  For more information on how to set up incoming webhooks, see Setting up Incoming Webhooks for Slack .

Note that Slack notifications are sent from Forensics Automated Workflows.

Viewing Incidents Created by Automated Workflows
Viewing an Incident from within Automated Workflows

 

To view an Incident from within Automated Workflows:

  1. in the Automated Workflows table, locate the workflow that created the incident you want to see. Click View Workflow viewWorkflow.png.
    The View Workflow page displays.   
  2. In the Automated Workflow Runs table, click the plus icon plusIcon.png next to the run of this workflow you want to investigate. 
  3. In the Event Result column, click Incident created
    The View Incident page displays. There you can view the details of the incident. Click the Automated Workflow link to return to the View Workflow page. 

 

Viewing an Incident from the Incidents Page

Incidents created by automated workflows are listed on the Incidents page, along with all other incidents, and are shown as being created by an automated workflow. When you view the incident details, click the Automated Workflow link to see the workflow that initiated the incident. For more information on viewing incidents, refer to Reviewing Incidents.

 

Last updated on