- 01 Jan 2023
- 4 Minutes to read
- DarkLight
- PDF
Version 2.8
- Updated on 01 Jan 2023
- 4 Minutes to read
- DarkLight
- PDF
What's new in CDC Version 2.8
August 2022
Highlights
- Automatic alert classification
- Composing playbooks using Azure Logic Apps
- New CTI landscape report
- Autocomplete for alerts and incidents search
- Filter observables by multiple type selection
- Search by date and time
- New observable types
Automatic Alert Classification
You can now group alerts and incidents into categories, to enable better understanding of the types of alerts and incidents arriving in the platform. This is also useful for automations that are triggered based upon the categorization of an alert.
Analysts cannot decide mapping on an alert-by-alert basis as they triage the alert, as this often leads to inconsistencies with mapping. Alert categorization will therefore now be automatic, and part of the flow from the moment an alert is created.
As an alert is created, it will be automatically categorized, with the Classification field in the alert populated. The classification field will be presented under the General tab in the UI. Historical alerts will contain an Unclassified value, as this is a mandatory field.
Composing Playbooks Using Azure Logic Apps
You can now compose playbooks using Azure Logic Apps technology. You can quickly create your own playbook in a visual way, save it, and publish it.
You can choose from basic playbook actions such as:
- Closing an alert
- Adding a tag - in both alerts and incidents
- Assigning an owner
- Adding a message to chat
- Adding evidence
- Attaching an alert to an incident
- Finding similar alerts
- Creating an incident
- Adding/updating a company
- Adding an observable
- Adding MITRE - in both alerts and incidents
You can select the trigger for the playbook as well. The available triggers will be alert created, with the ability to filter by name, use case or type, and incident created, with the ability to filter by name or type.
New CTI Landscape Report
By default, CDC 2.8 deployments will include a new report on CTI Landscape.
The report is based on CyberProof Feed alerts that are automatically inputted into the CDC, ensuring consistent documentation of CTI alerts and supporting effective communication between security teams by providing proactive intelligence.
This report interface includes two different tabs: Summary and Correlation:
- The Summary tab display gives an overview of key information about CTI Landscape alerts received. This data can support making an informed decision on mitigation tactics, allowing both analysts and the client to prioritize their workload of mitigating new threats.
- The Correlation tab display provides additional data from our CTI landscape report. When clicking on IOC observable, automatically, correlated SOC alerts pop up. These alerts were triggered based on the early CTI alert notification, which widens the scope of what threats can be detected and adds intelligence context.
You can read details about this report here: CTI Landscape Report.
For full reports release notes, see here: Reports Release Notes
Autocomplete for Alerts and Incidents Search
The Query Language (QL) search now supports autosuggestions of parameter names from a drop-down list. Autosuggestions are available for valid collections, fields, and operators when using the QL search.
Notes:
- When clicking on the search, there will be a drop-down list with the queries that you can choose from.
- When logging out or refreshing, the queries will still be kept.
Filter Observables by Multiple Type Selection
You can now filter observables using a multiple type selection. Filtering by multiple observable types provides more accurate information and increases observables' visibility. You can also add/remove values from this field.
Search by Date and Time
You can now search by date and time, for more focused results.
The table below details the various entities in the platform, and what you can search by for each.
Search Entity | Search By |
---|---|
Alerts | Creation Date and Time, Detection Date and Time, Modified Date and Time, SLA, Close Date and Time |
Incidents | Creation Date and Time, Modified Date and Time, Close Date and Time |
Observables | Creation Date and Time |
Messages | Time |
Notes:
- You can also search only by date. When doing so, the time will be 00:00:00.
- The date format is yyyy-mm-dd. You can search by your local time zone, as defined in your settings.
- The date & time format is yyyy-mm-dd hh:mm:ss.
- You can search using different time fields in the same query. For example: creation time < 2021-01-01 AND detection time < 2021-04-09.
- You can use QL operators such as : <,> , =< , = >
- You can search by date and time using all time zones. The CDC will convert the local time to UTC time and back.
- The return results will be filtered by the latest date and time to the earliest one.
New Observable Types
New observable types are now added automatically to the Observables list. They will not have to be added in manually.
When the platform recognizes a new type that is not yet defined in the Observables type list, the type will be added automatically to the list.
You can see this in:
- Settings (Settings > Fields Configuration > Observables).
- The Observables tab.
- The Observables preview.
Bug Fixes
- Missing "Open in new tab" option, when using mouse right-click on the pages in the left menu (CYB-15974).
- On the homepage, two scrolls are present on the same page (CYB-15656).
- Raw Data page disappears if the alert name is too long (CYB-15444).
Known Issues
- Search QL - parser does not support search by alertExtraProperties if property value is date (CYB-15731).
- Global search - search result for incident with attached alerts and focus are not kept (CYB - 16318).
- Search QL- search with username in lowercase is not working (CYB- 16164).