Release Notes 6.1.5
New Features
The following new features have been added to this Release:
Cases
SLA by Case Stage now supported (ID #11189)
You can now sort and order the Case Queue according to the SLA by Case Stage.
To support this, two new sort options have been added:
Sort by Case Stage SLA (Longest to Shortest)
Sort by Case Stage SLA (Shortest to Longest)
Alerts
Webhooks as a new way to ingest Alerts
From this Release onwards, in addition to using Connectors to ingest Alerts into Siemplify, you can now use Webhooks instead.
Webhooks provide an easy, lightweight method for customers to use in situations where Connectors are not available or convenient. The Webhooks can be set up for the same platforms, such as Splunk or Crowdstrike.
For full information on Setting up and using Webhooks, refer to Working with Webhooks and Setting up a Webhook.
Maximum Size for Alert Configurability
In order to configure the maximum size for an alert, three new parameters have been added to the database:
Max_Alert_Size – Default (and maximum) size is two million characters.
Max_Fields_Per_Event – Default (and maximum) size is 100
Max_Events_Per_Alert – Default (and maximum) size is 50
Alerts that are bigger than this size will be automatically “trimmed”. If the alert is still too big, then the fields and events will be “trimmed”. The resulting alert ingested into the case might therefore not contain all the original information.
Playbooks
Timeout added for Playbook Manual Actions
When assigning manual actions to users as part of a Playbook step, you can now add a time frame by which they have to respond to this action. You can add the time to respond in days, hours and/or minutes.
You can also decide to skip the step if the user hasn’t responded in time and use the “If previous step failed condition” to determine how to proceed. For example, you might decide to give your end user 30 minutes to approve blocking a malicious IOC and once that time has passed - the next step will escalate the action to a SOC manager.
This Time to Respond timer will appear in the Pending Actions widget on your Homepage and in the Cases Overview tab.
The Time to Respond field is disabled by default to support backwards compatibility. You can search through your Playbooks and add a value for the Time to Respond field where needed.
Async Actions with configurable timeouts: Phase One (ID #2389, #6166)
Users with IDE permissions can now create async custom actions with configurable timeouts.
Previously the timeouts could only be configured in the Global Config settings in the DB. Now, async custom actions can be configured in the IDE and changed afterwards in the individual Playbook step.
Both synchronous and asynchronous actions can be configured with different timeouts. For async actions you can configure the timeout for each push request (as controlled by the script timeout), for each polling interval (how long to wait before trying again) and for the Overall timeout (when to stop trying altogether). For sync actions, as before, you can configure the script timeout (but only with minutes and seconds).
Phase one of this feature only applies to Custom Actions. Phase two will cover Commercial actions.
For more information, please refer to How do I configure timeouts for Playbook Async actions.
Pending Action Widget Enhancement
Previously, when there were no actions waiting for user input, the widget would not display at all in the Case/ Alert View.
Authentication
Enhanced User Authentication
From this version on, the responsibility is on the Siemplify user to identify and authenticate themselves. After an admin adds a new internal user, an invite will be sent to their email; in order to start using the system, the user needs to accept the invite and then set their own password. This provides the user with more choice by opting into Siemplify and choosing their own password. Note that SAML users will also receive an invitation but can log in to the system anytime without needing to set a password.
Customers must either move to Siemplify's SMTP or make sure that their email settings are correct in order for users to receive the invite emails.
SAML and LDAP User Accounts no longer disabled after 90 days (ID #7534, #8095, #9164, #9271, #9756)
Customers using MFA are no longer bound by Siemplify’s expiration policy of 90 days.
Admin Tasks
New option for Forgot Password
From now on, when an internal user forgets their password - they are no longer locked out of the system and reliant on the admin to change it for them.
On the login screen, the words Forgot Password are now displayed. The user can click through and via email will be directed to a secure site to change their passwords.
This feature is for internal users only.
New options for Email Settings
You can now choose to have system emails sent from the default Siemplify SMTP settings or from your own customer settings. The selection is made from the Settings > Email Settings screen.
Upload License only by specific users
Only Admin users, or users with specific permissions will be able to upload a new license to the Platform.
For the new Login with Email feature please make sure that for SAML users the user identifier matches the email attribute in Siemplify.
Customizable Landing Pages
From this version on, the admin can now define landing pages at a more granular level according to the Permission group the users belong to from the Settings > Permissions screen.
To support this feature, the Landing Page on Login section from the Settings > General page has been removed. For users upgrading from a previous version, all the permission groups' landing pages will be set to the value that was previously in the Settings > General page.
It's recommended to go through each Permission group and change the landing page as required.
For more information, please refer to Define Landing Page on Login.
Entities
Add/Edit Entity Properties Enhancements
Users can now add or edit entity properties directly from multiple screens such as case overview, investigator, or entity explorer instead of running a manual action. For more information, please refer to Add/Edit Entity Properties.
Marketplace and Integrations
Integrations on Shared Instances can now be configured on Remote Agents
As such, a new Remote Agent option has been added to the Integrations Shared Instances screen.
Ability not to override custom IDE items
With this Release, when updating Integrations, if one of the names of the connectors, jobs, managers is the same name as one of the custom IDE items, you will be given an option to either change the existing name or to allow the new Integration to overwrite it.
Use Case New Ontology Rules
When installing integrations as part of Use Cases, ontology will also be installed if available.
If there is a conflict between the new mapping and modeling rules and the existing ones, the user can decide whether or not to override the existing rules.
Platform
Blacklist/Whitelist changed to Blocklist/Allowlist
In order to comply with industry wide changes -the terms Blacklist and Whitelist have been replaced throughout the platform and API endpoints with the terms Blocklist and Allowlist. System functionality has not been affected by this change.
Exposing Context Key Values
Previously, context key values were only displayed in the Database which meant that customers had no way of knowing what was available. Now, context key values are displayed both in placeholders and in the side drawer that opens on the right of the Cases screen. So for example when you enter a new key and value for an Alert in the Set_Context_Value action under the Siemplify Tools, these will now appear as placeholders under Alert and you can use them in the Get_context_value action.
For more information, please refer to Allow Access to other Environments.
Nginx updated to latest version
Nginx has now been updated to the latest version in the Platform.
Non Mandatory Dynamic Parameters (ID #8492)
In the Settings > Environments screen, the Admin can now add dynamic parameters which are non mandatory and as such do not need to have the default value defined. For example, an Admin can choose to add a dynamic parameter for a secondary emergency contact.
User Notification Enhancement
User notifications now take the user to the exact part of the screen that the notification relates to.
Support for Microsoft Edge
Siemplify now supports the Microsoft Edge browser starting from Version 96.
Now, when defining the widget in the customized or default views, a new toggle allows you to display the widget even when there is no actual pending action to display.
Full Support for RHEL 7.9
Siemplify platform now supports RHEL 7.9 (this does not apply to Publisher/Agents or Tableau)
Dates added to Log Files (ID #6992)
From now on – log files in the /var/log/siemplify/ will contain the date in the YYYY-MM-DD format.
User files with potentially risky file extensions marked as “not safe”
All files downloaded by the user with the following file extensions will automatically be marked as not safe. This is to raise user awareness of security issues.
**BAT
**BIN
**CMD
**EXE
**SH
**RUN
**JAR
**VB
**APP
**SCR