- 30 May 2023
- 4 Minutes to read
- DarkLight
- PDF
Version 3.3
- Updated on 30 May 2023
- 4 Minutes to read
- DarkLight
- PDF
What's new in CDC Version 3.3
May 2023
Highlights
- Automated alerts grouping into an incident
- New incidents grid capabilities
- Improved playbook display
- New incident summary section
- Visible incident header
- Improved observables view
- New reports
Automated Alerts Grouping into an Incident
As part of our threat-centric approach, CDC Version 3.3 allows analysts to work directly with incidents rather than individual alerts.
The CDC alert grouping mechanism automatically bands alerts together, presenting them as incidents (threats). This helps security analysts have better context of the issues they need to handle, perform faster analyses, and reduce the investigation time for similar alerts.
For example, let's assume that two alerts are generated in two minutes. The first alert comes from the EDR with information about malware on a host, and the second alert comes from the firewall with the same host communicating with a known C&C address. The CDC will then detect these two alerts and group them together into one incident.
Note: When an alert is attached to an incident using grouping rules, the platform will indicate which grouping rule was used.
SLA Based on Attached Alerts
Service Level Agreements (SLAs) will now be based on alerts attached to an incident.
The SLA will stop when ownership is taken on an incident. SLAs of the alert will stop as well.
Note that if an alert was detached from or attached to an incident, the SLA will be recalculated based on the alerts currently attached to the incident. The alert with the earliest SLA timeout will set the incident SLA timing from that alert's creation.
Incident Priority Based on Attached Alerts
Incident priority will now be automatically calculated when an alert is attached or detached.
When an alert is attached to an incident and its severity is higher than the incident priority, the incident priority will be updated accordingly.
Closing an Incident
Beginning with CDC Version 3.3, alerts will no longer be closed; incidents will be closed instead.
Note: When closing an incident, the listed reason will now be copied to the attached alerts and to the source (SIEM/EDR).
New Incidents Grid Capabilities
Within the incidents grid, you can now get more relevant information about the incident and the related alerts.
View New Alerts in Incidents
Two columns were added to the Incidents grid, related to alerts within incidents.
- A new Alert updated column will display the last time an alert was attached to an incident.
- A new # Alerts column will present the number of alerts attached to an incident.
Pending User Actions are Easier to Track
When a playbook or playbooks are pending, the Incident grid will now give an indication of this, in a new Pending actions column.
Taking Incident Ownership from the Grid
You can now take ownership of an incident, by clicking on the + in the Owner column in the Incident grid.
Note: You will be able to take ownership only if there is no owner listed on the incident, and if the incident is assigned to the same group as the user.
Improved Playbook Display
The stages of each playbook are now presented more clearly. This includes, for example:
- More illustrative playbook step cards
- Connections between steps
- Warning icons for steps waiting for user action
Additionally, when a playbook is opened and changes are made, the playbook will automatically refresh without the need to click Refresh.
New Incident Summary Section
Rather than copying information from an alert to an incident's chat and writing information in the chat, an incident's main information is now presented in a central location.
This will enable you to see the status quickly and help manage the incident and document the information. Others who see the information will be able to understand the status and take action faster as well.
This information will also be sent in notification emails that the CDC is sending to users - giving a clearer and more complete picture of the incident's status.
Visible Incident Header
The incident header has now been enhanced to be more visible, even when scrolling through lengthy pages.
You will be able to view and update the most important information in the header, and change its value.
Improved Observables View
When opening an incident, the Observables tab will be the first/opening screen, rather than the General tab - as observables represent the most crucial information to view.
The enrichment processing status of observables will also now be presented in a clearer way, within the Observables tab.
When clicking on an observable, all relevant details will be clearly displayed, enabling you to more quickly analyze incidents.
Present Reason for Observable Score
You can now see how the observable score was calculated by hovering over the score.
Reports
Support New Features and Changes
- The Alerts report now takes alert classifications directly from the relevant CDC field, and not an external mapping file.
- The Details tab of the Incident report will no longer have a Severity column.
- An SLA tab was added to the Incident report, presenting incidents SLAs.
New Reports
- Observables - Supports identifying all incidents that include selected observables from a chosen short list, enabling the research of correlations between observables.
- Annotation Review (included when analysts perform annotations) - Allows for quick review of an alert’s closing reason, while showing any observables related to the alert.
Known Issues/Bug Fixes
All known issues from the previous version were fixed.