Version 3.2

What's new in CDC Version 3.2

February 2023

Highlights

• Automated alerts grouping into an incident
• New incidents grid capabilities
• Improved playbook display
• Enhanced observables display
• New observables report

Automated Alerts Grouping into an Incident

As part of our threat-centric approach, CDC Version 3.2 allows analysts to work directly with incidents rather than individual alerts.

The CDC alert grouping mechanism automatically groups alerts together into incidents (threats). This helps security analysts have better context of the issues they need to handle, perform faster analysis, and reduce the investigation time for similar alerts - working only with incidents that will gather alerts.

For example, let's assume that two alerts are generated in two minutes. The first alert comes from the EDR with information about malware on a host, and the second alert comes from the firewall with the same host communicating with a known C&C address. The CDC will then detect these two alerts and group them together into one incident.

Note: When an alert is attached to an incident using grouping rules, the platform will indicate which grouping rule was used.

SLA Based on Attached Alerts

Service Level Agreements (SLAs) will now be based on alerts attached to an incident.

The SLA will stop when ownership is taken on an incident. SLAs of the alert will stop as well.

Note that if an alert was detached from or attached to an incident, the SLA will be recalculated based on the alerts currently attached to the incident. The alert with the earliest SLA timeout will set the incident SLA timing from that alert's creation.

Incident Priority Based on Attached Alerts

Incident priority will now be automatically calculated when an alert is attached or detached.

When an alert is attached to an incident and its severity is higher than the incident priority, the incident priority will be updated accordingly.

Closing an Incident

Beginning with CDC Version 3.2, alerts will no longer be closed; incidents will be closed instead.

Note: When closing an incident, the listed reason will now be copied to the attached alerts and to the source (SIEM/EDR).

New Incidents Grid Capabilities

Within the incidents grid, you can now get more relevant information about the incident and the related alerts.

View New Alerts in Incidents

Two columns were added to the Incidents grid, related to alerts within incidents.

• A new Alert updated column will display the last time an alert was attached to an incident.
• A new # Alerts column will present the number of alerts attached to an incident.

Pending User Actions are Easier to Track

When a playbook or playbooks are pending, the Incident grid will now give an indication of this, in a new Pending actions column.

Taking Incident Ownership from the Grid

You can now take ownership of an incident, by clicking on the + in the Owner column in the Incident grid.

Note: You will be able to take ownership only if there is no owner listed on the incident, and if the incident is assigned to the same group as the user.

Improved Playbook Display

Playbook stages can now be more easily seen. This includes, for example:

• More illustrative playbook step cards.
• Connections between steps.
• Warning icons for steps waiting for user action.

Additionally, when a playbook is opened and changes are made, the playbook will automatically refresh without the need to click Refresh.

Enhanced Observables Display

When clicking on an observable, all relevant details will be clearly displayed, enabling you to more quickly analyze incidents.

Present Reason for Observable Score

You can now see how the observable score was calculated by hovering over the score.

Reports

Support New Features and Changes

• The Alerts report now takes alert classifications directly from the relevant CDC field, and not an external mapping file.
• The Details tab of the Incident report will no longer have a Severity column.
• An SLA tab was added to the Incident report, presenting incidents SLAs.

New Reports

• Observables - Supports identifying all incidents that include selected observables from a chosen short list, enabling the research of correlations between observables.
• Annotation Review (included when analysts perform annotations) - Allows for quick review of an alert’s closing reason, while showing any observables related to the alert.

Known Issues/Bug Fixes

All known issues from the previous version were fixed.