Dynamic Case Overview
The Cases screen has undergone a dramatic change regarding both look and feel and functionality.
The Case screen now displays different information in different tabs all in a clearer, easier to read manner, enabling the analyst to understand and work with the Case more efficiently.
Case Overview
The Case Overview is now in a separate tab from the Alert overview and each tab displays information related either to the overall Case or to the specific Alert (and of course information on the attached Playbook)
The Case Overview will be defined by default by Siemplify but can be customized by the Admin in a new screen called Default Case Overview which can be found in the > Views option.
In the Default Case Overview you can choose which of the following widgets you want to use in order to display general information on the Case.
- Alerts: This widget displays information on all the alerts that are grouped into this case - including name, number of events, and priority
- Case Description: This widget enables the analyst when the case is ingested to write a unique description for each case.
- Entities Highlights: This widget displays the highlighted fields for each entity involved in the alert.
- Latest Case wall activity: This widget displays the selected case wall activities over a selected period of time.
- Pending Actions: This widget displays actions that are waiting for your input.
- Recommendations: This widget displays similar cases and the recommended analysts and tags to assign to the case.
- Statistics: This widget displays the distribution of selected Entity fields.
- HTML: In this widget, you can use HTML code for creating insights as well as use placeholders to ‘inject’ relevant information from the alerts. You have the option to return safe code without including potentially malicious JavaScript.
- Insights: This widget contains all the Insights from the Playbook insights actions, general insights and any other insights you have added. They will be presented in HTML format.
- Key Value: This widget will allow you to choose specific bits of information that come from various sources and display them in view For example: Key- Product Value- [Alert.Product]
- Free Text: This widget enables the user to add free text to be displayed for the Alert/Playbook.
- Entities Graph: This widget contains a visual graph and other details of the Case Entities.
Alert Overview
Alert views can now be managed in one of two ways. The default Overview can be defined by the Admin in the Default Alert Overview screen which can be found in the > Views option. The Default Alert Overview will be displayed for all Alerts that don’t have Playbooks attached.
The second and more valuable way is that you can now define customized Alert views for different SOC roles through the Playbook Designer. This allows you to have greater flexibility in showing different information for the different users. So for example, for one type of user you might want to show them certain enrichments and insights from the Playbook and for another, you might want to show them more advanced JSON results from the Playbook.
The customized alert views can be added from the Playbook designer screen. Once you have added a customized alert view then this will override the default alert view for all users in that specific role. Each Alert can have only one Playbook attached automatically. The views are created using drag and drop widgets.
You can choose which of the following widgets you want to use in order to display information on the Alert.
- Entities Highlights (also available in the Default Alert View screen). This widget displays the highlighted fields for each selected entity
Currently, there are two ways to highlight a field.
- From the Explore screen, choose the entity and click Add to Highlight.
- Navigate to Settings > Data Configuration > Properties Metadata, select a field and mark as highlighted.
In future versions, you will be able to highlight a field directly from the widget itself.
You can reach all fields through this widget, including non-highlighted ones by clicking on View More.
- HTML: (also available in the Default Alert View screen). In this widget, you can use HTML code for creating insights as well as use placeholders to ‘inject’ relevant information from the playbook results. You have the option to return safe code without including potentially malicious JavaScript.
- Key Value: (also available in the Default Alert View screen) This widget will allow you to choose specific bits of information that come from various sources and display them in view For example: Key- Product Value- [Alert.Product]
- Free Text: (also available in the Default Alert View screen) This widget enables the user to add free text to be displayed for the Alert/Playbook.
- Events Table: (also available in the Default Alert View screen) This widget displays all Alert events and their properties. Choose up to 6 fields to be displayed in the table.
- Entities Graph: (also available in the Default Alert View screen) This widget contains a visual graph and other details of the Case Entities.
- Entities Highlights: This widget displays the highlighted fields for each selected entity. You can reach all fields through this widget, including non-highlighted ones by clicking on View More.
- JSON Result: The JSON widget is used to present the data source based on the Playbook placeholder in an expandable JSON component.
- Pending Actions: This Widget lists all playbook actions waiting for user input. The analyst can now see at a glance what they need to do in order for the Playbook to carry on running.
- Insights: This widget contains all the Insights from the Playbook insights actions, general insights and any other insights you have added. They will be presented in HTML format.
Note that when exporting/importing Playbooks the custom views will be attached.
New Case Chat Option
We have added a new Chat feature so you can now talk to all the users that have permissions to the case and get timely replies at the click of a button. For more information, see Instant Messaging on a Case.
Case Queue Compact View
We have redesigned the case queue so you now have the option of viewing lots of cases at the same time without missing out on essential information for each case.
Bulk Close Case Support
You can now close multiple cases from the Case Queue.