May 2024

Enhancements

• Added Email as Contact Type to Send Notifications for Low Urgency ActOns
  Users can now set the contact type to email for low-urgency ActOns in the Escalation Settings tab of their My Profile page. Enabling this option will send a notification to the user's configured email address when low-urgency ActOns are triggered within the platform. ActOns set to priority P2, P3, and P4 are considered as low urgency.
• Improved Notifications Functionality
  Notifications functionality has been improved with the introduction of a new feature called system notifications, combining the capabilities of templates and policies into a unified and streamlined process. As part of this enhancement, standalone pages for templates and policies have been removed, providing a more integrated user experience.
  •  
    • System Notifications: The new system notifications feature allows users to configure data sources, events, and notification channels all in one place.
    • Event Notifications: When an event is triggered from a configured data source and meets specified conditions, notifications are automatically sent to the designated channels.
    • Channel Creation: Users can now create channels directly from the channel drop-down menu, improving accessibility and ease of use.
• Criticality Filter Added on Entities Overview
  The critical field has been added to the Entities overview page, allowing users to filter entities by criticality.
• View in Chronicle Button Added in Entities Overview for Chronicle Entities
  A new option called "View in Chronicle" has been added to the entity page for Google Chronicle entities. Clicking on this option redirects users to the Chronicle page, where they can view detailed information about the entity as well as alerts triggered specifically for this entity.
• Mandatory feed name field in log and data ingestion
  To align with Google Chronicle's requirements, the feed name field has been made mandatory across all types of feeds within the log and data ingestion section. This ensures that users provide a specific feed name for each feed while configuring a feed type.
• Addition of Aggregate Field in Time Series View
  The aggregate field has been added to the Time Series view, allowing users to aggregate signals by hour, day, week, month, quarter, or year. For example, aggregating signals by month will display the signals triggered during that month as a set. Clicking on the bubble chart will display the signal list with the date on which the signal was generated.
• Signal breakdown added in Time series analysis
  When you want to track the number of signals generated at a specific data point in the line chart, you can click on the data point on the chart to open the side panel. This panel shows the available dimensions that you can add to the axes plot. Clicking on the bubble chart of any dimension reveals its values in the side panel. You can then add these values to the axes plot under the dimension to view the list of signals generated from that specific value.
• Compact view and default view for MITRE Matrix in the Threat Detection, and Threat Detection & Response modules
  The MITRE Matrix has been categorized with three main attack phases and each phase consists of six sub-attack phases.

In default view, some of the attack phases (out of 3) with tactics are visible when you initially land in the Threat Detection, and Threat Detection & Response modules. You will need to scroll right to view the remaining attack phases.

The compact view offers you to focus on a specific attack phase and its tactics and techniques by collapsing the other attack phases at right or left corner. You can switch among the other tactics by clicking on the respective tactics.

• A sort order (Top N or Bottom N) by metric in a widget
  Now you can sort the values of a widget by selecting the top N or bottom N with respect to the metric while creating a dashboard.
• Added a case insensitive toggle for model filters in Behavior models
  We've introduced a case insensitive toggle for each condition under model filters of the behavior models. Turning on the case-insensitive toggle considers both lowercase and uppercase characters for string operators while defining the filters. This feature empowers users to find their model by searching with a model filter quickly, irrespective of the character cases.
• Generative AI assistant for defining behavior models
  Now you can define the behavior models based on the recommendations with ease on the behavior analytics home page. The AI assistant suggests new models based on the combination of log sources and existing models. This functionality is available at domain, organization, and tenant levels.
• Advanced Filters Added to Detection Rules, Threat Feeds, Reference Lists, and Content Packs
  Advanced filter options have been added to Detection rules, threat feeds, reference lists, and content packs. This feature enables users to define search criteria to retrieve relevant records from the respective tables. When the user selects a filter, the associated values to the filter are displayed in the value drop-down. Furthermore, users can apply the appropriate operators, such as equals, not equal, like, and not like, to fetch records that match these specific criteria. For example, setting the List type parameter to equal Regex in reference list fetches records of reference lists with the Regex list type.
• Reference List Pages Revamped
  The reference list functionality has undergone a redesign to align with the platform's updated look and feel. Here are the key design improvements:
  • • Syntax Type Enhancement: The Syntax type drop-down has been upgraded to radio buttons, providing a more intuitive selection experience.
    • Action Options: Previously, the Action drop-down was used to select Send for Review.  Now, two distinct options, Send for Review and Save as Draft, are displayed at the bottom of the reference list page, streamlining workflow actions.
    • Layout Changes: The Comments section has been relocated to the left for improved visibility and accessibility. Additionally, an activity log tab has been introduced, offering a comprehensive view of all related actions and changes.
• Link Reference List to Rules
  Users can now include reference links within the YARA-L rule syntax. Only published reference lists can be added to rules. Once the rule is verified, users can save the detection rule and view the reference list on the left. The "view" option on the detection rules page allows access to the reference list.
• Threat Feeds Enhancement
  A significant improvement has been made to threat feeds for Enter IOC and upload CSV source types. Previously, start time and expiry time data were not sent to the Chronicle along with other threat feed information. With this release, we are now sending the start time and expiry time of threat feeds from our CMS into the Chronicle. The expiry date for IPs and URLs is 7 days from the current date, while for hashes, it is 15 days.
• Added Sub-technique Name with ID in Detection Rules
  With this enhancement, the sub-technique ID is now accompanied by its corresponding sub-technique name in the metadata section of detection rules. Previously, only the sub-technique ID was displayed as sub-technique values. This improvement provides more comprehensive information and enhances clarity within the detection rules.
• Entities and Situation ID columns in Signals home page
  Entities and Situation ID columns have been added to Signals home page. With these columns, you can quickly view the associated entities and the Situations with each signal.
• Character limit in the ActOns and Situations titles
  The character limit of ActOns and Situations' titles has been extended up to 160. Now you can modify the titles of ActOn(s) and Situation(s) up to 160 characters, and these characters are visible in the UI.
• Mark as ActOn and Visibility features in Case type ActOns
  Enabled Mark as ActOn and Visibility features to Case type ActOns. The former option allows you to change the case type Situation to ActOn and the latter allows you to know if ActOn is applicable to either domain or organization or tenant or all.
• Set Max limit in subscriptions & contract details tab of Organizations & Tenants and data allocation tab of subscriptions
  Introduced a Set Max limit feature in the subscriptions & contract details tab while creating organizations or tenants under a domain within the platform. With this feature, you can set the maximum limit (in volume or count) when you are inheriting or creating new subscription plans from domain to organizations or tenants. You will need to check box next to each subscription to enable the maximum limit. This feature is applicable to domains and organizations only.
  You can set the maximum limit even after creating organizations or tenants. To do this, you need to navigate to Subscriptions and set the maximum limit for each organization or tenant under Data Allocation tab.
• Auto scroll down in the ActOn analyzer tab of ActOns
  Disabled auto scroll down in the ActOn Analyzer tab, enabling you to move from top to bottom of a page while analyzing an ActOn to provide actionable reports with summaries, signal details, impacted assets, and mitigation steps.
• Hierarchy separation in the ActOn owner field of an ActOn
  Previously, you could not distinguish between the hierarchy level (domain, organization or tenant) of an ActOn owner. Now, you have visibility into the hierarchy level that a user belongs to, while assigning the ActOn owner to an ActOn.
• Empty screens in ActOns' home page
  Now, you can see the blank screen with a message saying that "No ActOns found for selected filters" whenever there is no match found for filters applied in the filters panel in the ActOns' home page.

Deprecations

• Deprecation of ActOns (classic)
  We've deprecated ActOns classic UI and replaced it with a new UI design, which enables an intuitive and more engaging user interface for users of the Resolution Intelligence Cloud. We recommend you explore a new ActOns UI for managing your ActOns efficiently.
• Deprecated Negate toggle at group level under model filters in Behavior models
  We've deprecated negate toggle at group level while defining model filters in behavior models. This deprecation allows you to enable negate toggle for each condition for generating successful filtering of UDM attributes with respective to their values.