- 08 Dec 2022
- 4 Minutes to read
- Updated on 08 Dec 2022
- 4 Minutes to read
- Automated alert grouping in incidents
- Present number of grouped alerts from the incident grid
- Improved playbook display
- Closing incident reasons
- Enable changing alert classification
- Reports changes
Automated Alert Grouping in Incidents
The CDC alert grouping mechanism groups alerts together into incidents (threats). This will help security analysts have better context of the issues they need to handle, and perform faster analysis and reduce the investigation time for similar alerts - working only with incidents that will gather alerts.
For example, let's assume that two alerts are generated in two minutes. The first alert comes from the EDR with information about malware on a host, and the second alert comes from the firewall with the same host communicating with a known C&C address. The CDC will then detect these two alerts and group them together into one incident.
As part of this change to grouping, analysts will no longer work with alerts; the focus will be on incidents. Within the Incidents dashboard, you can now get more informative information about all alerts attached to an incident.
When clicking on an alert, you will see the Alerts view within the Incident view. The alert list contains the following information for each alert:
- Indication that a playbook is waiting for a user action.
- Indication that the alert was updated - the playbook finished running, update of raw data, update of observables, etc.
Note that you can also filter the alerts by creation time and/or by severity.
Present Number of Grouped Alerts from Incident Grid
You can now see the number of alerts attached to an incident, when viewing the incident grid. This will give you an indication of the number of alerts attached to each incident.
A new Alerts column will be added to the Incident grid, showing the number of alerts attached to a particular incident.
- You can filter by the number of alerts.
- You can search by the number of the attached alert (using the Query Language/Advanced Search).
Improved Playbook Display
Playbook stages can now be more easily seen. This includes, for example:
- More illustrative playbook step cards.
- Connections between steps.
- Warning icons for steps waiting for user action.
Additionally, when a playbook is opened and changes are made, the playbook is automatically refreshed and there is no need to click Refresh.
Closing Incident Reasons
Beginning with CDC version 3.0, alerts are no longer closed; instead, incidents are closed.
The possible closing reasons are as follows:
- Benign Positive - Suspicious action, but not malicious.
- True Positive - When there is a legitimate attack which triggers to produce an alert.
- False Positive - For cases of incorrect values
- False Positive - For cases of incorrect alert logic.
- Undetermined - Note: these are the only reasons that cannot be deleted.
The closing reasons above are the default values. They are all configurable, other than Undetermined, which cannot be changed or removed.
Note: When closing an incident, the closing reason will now be copied to the attached alerts and to the source (SIEM/EDR).
SLA will now be presented based on the incident rather than a single alert.
The incidents are classified and handled according to the alerts that it has. For example, if an incident includes a "High" alert and a "Low" alert, the incident will be marked as "High".
When there is a new "High" alert attached to a "Low" incident, the incident criticality will be changed to "High".
The SLA's setting is based on the incident's priority (Settings > SLA). The priority will be in sync with the priority setting in the CDC (Fields Configuration > Incident > Incident Priority).
Enable Changing an Alert's Classification
You can update an alert’s classification when you have a different or new insight into data. This allows for better analysis of incidents.
You can download rules in CSV format, create the rules, and then upload them back to the platform.
The alert Classification field is in the General alerts tab. The classification can be changed here, and you can add a new classification as well.
If the field is updated and the value matches one of the classification settings in the CDC, the CDC will update it; otherwise it will be ignored.
Note that an update of a classification will not automatically trigger playbooks or the rules mechanism. When updating the classification, a message will be written in the alert’s chat and timeline.
Support new features and changes
- Take alert classification directly from the relevant CDC field, and not an external mapping file
- Add to the incident report a new SLA tab, based on the new incident SLA
- Observables -Supports finding all incidents that include all of a short list of selected observables, allowing research of correlations between observables
- Annotation review (included when analysts perform annotation) - Allows quick review of the alert’s closing reason, while showing any observables related to the alert