Table of Contents:
New Features
Introducing Slack channel integration
We've integrated the Slack channel into Resolution Intelligence Cloud. Users can now configure a Slack channel to notify the team in their Slack workspace whenever an event is triggered from the configured source, such as a signal, situation, ActOn, or entity. Users have the option to choose which events from a source should trigger notifications in the Slack workspace.
Enhancements
-
New validation messages added in functions – Phase 1
Field-level validation messages have been changed on the Correlation policies page and on the Add User page. -
Added Case view URL field in Chronicle SOAR integration
The Authentication page of the Chronicle SOAR integration now includes a Case View URL field. This addition enables users to configure the case view URL during the Chronicle SOAR setup on the Resolution Intelligence Cloud.
When an ActOn is converted to a case in SOAR, users can be redirected to the respective Chronicle SOAR case page to access detailed case information required to investigate the security alert, from the new ActOns page in the Resolution Intelligence Cloud. This redirection occurs by clicking the external ID of an ActOn. -
Added criticality field to enrichment policies
The criticality field has been added to the enrichment policies page, allowing users to configure the criticality of entities meeting pre-defined conditions as either "yes" or "no." During the entity sync process, the system checks the enrichment policy conditions and tags the entities that satisfy the condition with the specified criticality state in the Resolution Intelligence Cloud. -
Filter the entities by ASE source
You can now push ASE entities from the backend to the Resolution Intelligence Cloud. Furthermore, on the Entities page, you can filter these entities by selecting the ASE source from the available filter options. -
Ingesting sub-technique name to Chronicle instead of its ID
The Resolution Intelligence Cloud started ingesting MITRE Matrix sub-techniques' name to Chronicle instead of its ID. While configuring the behavior model, when you select a sub-technique, its ID is replaced with name in the BigQuery. It is easy to track and identify multiple sub-techniques with their names in the Chronicle. -
Threat Feeds enhancement
A significant improvement has been made to threat feeds for Configure URL source type. Previously, start time and expiry time data were not sent to the Chronicle along with other threat feed information. With this release, we are now sending the start time and expiry time of threat feeds from our CMS into Chronicle -
Rule Management
If the version 1 rule is disabled in the Resolution Intelligence Cloud, the same rule will also be disabled automatically in Chronicle. When a new version of a rule is created, the previous version will be disabled in both Chronicle and Resolution Intelligence Cloud (Rules). -
Addressed rule ambiguity and duplicate alerts
Previously, new rule versions were published as separate versions in Chronicle, causing ambiguity and generating detections from both versions. Disabling alerting for one version resulted in duplicate alerts from another version.
To address this issue, when a rule at the domain level is published to an organization, all tenants under the organization will have the rule in the ready-to-publish state. Tenants are required to manually publish the rules and associated packs.
Subsequently, when the domain publishes a new rule version, later onboarded tenants will receive the updated rule version in the ready-to-publish state. -
Sorting by order in the table view of ActOns’ Home page
Added sorting order for the columns - ID, title, external ID, SLA, owner, and created date in the table view of ActOns home page consists of both DigitalOps and Security ActOns. You can sort the ActOns in ascending or descending order by clicking up or down arrows located at the respective columns in the table view. -
Revamping Signals UI
The user interface of Signals home page has been enhanced to improve the user experience. The following enhancements have been made:-
- Introduced "Manage Columns" feature. With this feature, you can pick your desired columns to be shown on the Signals home page.
- Added a filter icon at the right corner. When you click on this icon, a list of filters appears on the screen. You can select your desired options in the filter menu, the relevant Signals appear on the page.
- A search bar with placeholder text has been provided on the top of the home page. You can search Signals by ID, Title, and Source.
- An Export feature added with an icon at the right corner. When you click on this icon, an Export CSV displays. You can export all signals from the signals home page to your local drive in the CSV format.
- Currenlty, Situation ID and Entity details are not showing in each signals page as data is not available.
-
-
Sorting order in the Situations Home page
Added sorting order for the columns - ID, title, external ID, and created date in the Situations home page consists of both DigitalOps and Security related Situations. You can sort the Situations in ascending or descending order by clicking up or down arrows located at their respective columns. -
Editing titles of Situations and ActOns
Introduced an edit feature to the title field of ActOns and Situations, allowing users to customize the titles of Situations and ActOns to match their needs. -
Introducing Chronicle SOAR tickets under security category in the ActOns and Situations Home pages
Resolution Intelligence Cloud considers Chronicle SOAR tickets or Cases as security related ActOns and Situations. These Chronicle SOAR tickets are ingested via an integration between Resolution Intelligence Cloud and Chronicle SOAR platforms. With this new addition, you can manage the ActOns and Situations triggered from Chronicle SOAR and mitigate the security risk posed from external environment before they become severe incidents. -
Introducing Mark as relevant or Mark as irrelevant buttons
We have added Mark as relevant or Mark as irrelevant buttons under the detections tab in the security ActOn work area. With this new feature, you can mark the new detections as relevant or irrelevant for a specific ActOn. You can determine if the detection is relevant or not based on the majority voting. -
Manual escalation of an ActOn
Now, you can escalate an ActOn, which is in closed state, to on-call responder manually by enabling an escalation policy or a function under an escalations tab of an ActOn. The users with the roles - Global Admin, Responder, Owner, Manager, Config Manager can escalate the ActOn. Currently, this feature is applicable for domain, organization, and tenant levels in the multi-tenancy hierarchy. -
Added likelihood, impact, and confidence scores to security ActOns
Populated likelihood, impact, and confidence scores to each security ActOn under their respective columns, allowing users to prioritize them accordingly.
Deprecations
-
Deprecated task creation in DigitalOps ActOn
Removed task creation under task tab in the DigitalOps ActOn which is no longer required functionality.
Comments
0 comments
Please sign in to leave a comment.