New Features

The following new features have been added to this Release:

Cases

SLA by Case Stage now supported (ID #11189)

You can now sort and order the Case Queue according to the SLA by Case Stage.

To support this, two new sort options have been added:

  • Sort by Case Stage SLA (Longest to Shortest)

  • Sort by Case Stage SLA (Shortest to Longest)

Alerts

Webhooks as a new way to ingest Alerts

From this Release onwards, in addition to using Connectors to ingest Alerts into Siemplify, you can now use Webhooks instead. 

Webhooks provide an easy, lightweight method for customers to use in situations where Connectors are not available or convenient. The Webhooks can be set up for the same platforms, such as Splunk or Crowdstrike. 

For full information on Setting up and using Webhooks, refer to Working with Webhooks and Setting up a Webhook.

Maximum Size for Alert Configurability

In order to configure the maximum size for an alert, three new parameters have been added to the database:

  • Max_Alert_Size – Default (and maximum) size is two million characters.

  • Max_Fields_Per_Event – Default (and maximum) size is 100

  • Max_Events_Per_Alert – Default (and maximum) size is 50

Alerts that are bigger than this size will be automatically “trimmed”. If the alert is still too big, then the fields and events will be “trimmed”. The resulting alert ingested into the case might therefore not contain all the original information.

Playbooks

Timeout added for Playbook Manual Actions

When assigning manual actions to users as part of a Playbook step, you can now add a time frame by which they have to respond to this action. You can add the time to respond in days, hours and/or minutes.

You can also decide to skip the step if the user hasn’t responded in time and use the “If previous step failed condition” to determine how to proceed. For example, you might decide to give your end user 30 minutes to approve blocking a malicious IOC and once that time has passed - the next step will escalate the action to a SOC manager.

This Time to Respond timer will appear in the Pending Actions widget on your Homepage and in the Cases Overview tab.

The Time to Respond field is disabled by default to support backwards compatibility. You can search  through your Playbooks and add a value for the Time to Respond field where needed.

Async Actions with configurable timeouts: Phase One (ID #2389, #6166)

Users with IDE permissions can now create async custom actions with configurable timeouts.

Previously the timeouts could only be configured in the Global Config settings in the DB. Now, async custom actions can be configured in the IDE and changed afterwards in the individual Playbook step.

Both synchronous and asynchronous actions can be configured with different timeouts. For async actions you can configure the timeout for each push request (as controlled by the script timeout), for each polling interval (how long to wait before trying again) and for the Overall timeout (when to stop trying altogether). For sync actions, as before, you can configure the  script timeout (but only with minutes and seconds).

Phase one of this feature only applies to Custom Actions. Phase two will cover Commercial actions. 

For more information, please refer to How do I configure timeouts for Playbook Async actions.

Pending Action Widget Enhancement

Previously, when there were no actions waiting for user input, the widget would not display at all in the Case/ Alert View.

Authentication

Enhanced User Authentication

From this version on, the responsibility is on the Siemplify user to identify and authenticate themselves. After an admin adds a new internal user, an invite will be sent to their email; in order to start using the system, the user needs to accept the invite and then set their own password. This provides the user with more choice by opting into Siemplify and choosing their own password. Note that SAML users will also receive an invitation but can log in to the system anytime without needing to set a password.

Customers must either move to Siemplify's SMTP or make sure that their email settings are correct in order for users to receive the invite emails. 

SAML and LDAP User Accounts no longer disabled after 90 days (ID #7534, #8095, #9164, #9271, #9756)

Customers using MFA are no longer bound by Siemplify’s expiration policy of 90 days.

Admin Tasks

New option for Forgot Password

From now on, when an internal user forgets their password - they are no longer locked out of the system and reliant on the admin to change it for them.

On the login screen, the words Forgot Password are now displayed. The user can click through and via email will be directed to a secure site to change their passwords.

This feature is for internal users only. 

New options for Email Settings

You can now choose to have system emails sent from the default Siemplify SMTP settings or from your own customer settings. The selection is made from the Settings > Email Settings screen.

Upload License only by specific users

Only Admin users, or users with specific permissions will be able to upload a new license to the Platform.

For the new Login with Email feature please make sure that for SAML users the user identifier matches the email attribute in Siemplify.

Customizable Landing Pages

From this version on, the admin can now define landing pages at a more granular level according to the Permission group the users belong to from the Settings > Permissions screen.

To support this feature, the Landing Page on Login section from the Settings > General page has been removed. For users upgrading from a previous version, all the permission groups' landing pages will be set to the value that was previously in the Settings > General page.  

It's recommended to go through each Permission group and change the landing page as required.

For more information, please refer to Define Landing Page on Login.

Entities

Add/Edit Entity Properties Enhancements

Users can now add or edit entity properties directly from multiple screens such as case overview, investigator, or entity explorer instead of running a manual action. For more information, please refer to Add/Edit Entity Properties.

Marketplace and Integrations

Integrations on Shared Instances can now be configured on Remote Agents

As such, a new Remote Agent option has been added to the Integrations Shared Instances screen. 

Ability not to override custom IDE items

With this Release, when updating Integrations, if one of the names of the connectors, jobs, managers is the same name as one of the custom IDE items, you will be given an option to either change the existing name or to allow the new Integration to overwrite it.

Use Case New Ontology Rules

When installing integrations as part of Use Cases, ontology will also be installed if available. 

If there is a conflict between the new mapping and modeling rules and the existing ones, the user can decide whether or not to override the existing rules.

Platform

Blacklist/Whitelist changed to Blocklist/Allowlist

In order to comply with industry wide changes -the terms Blacklist and Whitelist have been replaced throughout the platform and API endpoints with the terms Blocklist and Allowlist.  System functionality has not been affected by this change.

 

Exposing Context Key Values

Previously, context key values were only displayed in the Database which meant that customers had no way of knowing what was available. Now, context key values are displayed both in placeholders and in the side drawer that opens on the right of the Cases screen. So for example when you enter a new key and value for an Alert in the Set_Context_Value action under the Siemplify Tools, these will now appear as placeholders under Alert and you can use them in the Get_context_value action.

For more information, please refer to Allow Access to other Environments.

Nginx updated to latest version

Nginx has now been updated to the latest version in the Platform.

Non Mandatory Dynamic Parameters (ID #8492)

In the Settings > Environments screen, the Admin can now add dynamic parameters which are non mandatory and as such do not need to have the default value defined. For example, an Admin can choose to add a dynamic parameter for a secondary emergency contact.

User Notification Enhancement

User notifications now take the user to the exact part of the screen that the notification relates to.

Support for Microsoft Edge

Siemplify now supports the Microsoft Edge browser starting from Version 96.

Now, when defining the widget in the customized or default views, a new toggle allows you to display the widget even when there is no actual pending action to display. 

Full Support for RHEL 7.9

Siemplify platform now supports RHEL 7.9 (this does not apply to Publisher/Agents or Tableau)

Dates added to Log Files (ID #6992)

From now on – log files in the /var/log/siemplify/ will contain the date in the YYYY-MM-DD format.

User files with potentially risky file extensions marked as “not safe”

All files downloaded by the user with the following file extensions will automatically be marked as not safe. This is to raise user awareness of security issues.

**BAT
**BIN
**CMD
**EXE
**SH
**RUN
**JAR
**VB
**APP
**SCR