March 2024

New Features

Introducing Cloudflare integration, a new addition to our CMDB type of integrations. Now you can seamlessly sync entities such as DNS records and domains with the Resolution Intelligence cloud.

Deeper Insights, Enhanced Defence: Introducing Powerful New Signal Analytics

Empower your Threat hunting, Security Data Engineering, and Operations workflow with these powerful new features:

• Hunt like a Pro: Time Series Analysis lets you see beyond the snapshot. Juxtapose signals across time to reveal hidden trends, patterns, and potential threats that static observations might miss.
• Fast-Track Investigations: Advanced Search allows you to search on any signal attribute, streamlining the process of identifying and investigating potential threats.
• Unmask the Attacker: MITRE ATT&CK® Alignment aligns signals with the ATT&CK® framework, providing deeper insights into attacker tactics, techniques, and procedures (TTPs) for more informed decision-making.
• Gain Situational Awareness: Enhanced List View offers a clear and concise list format for all triggered signals, facilitating efficient threat response and analysis.

Enhancements

• Download Error Log Format Update
  Download Error logs in parsers have undergone a significant improvement. Previously, error logs were downloaded in base64 format, making them difficult to interpret for users. With the latest update, error logs are now presented in a human-readable format (decoded logs), facilitating easier comprehension and resolution of parser errors recorded in logs.
• Toast Message Enhancements
  Toast messages have been revamped, offering improved user experience and clarity in feedback.Three distinct types of toast messages are now displayed based on user actions:
  • • Default: Indicates successful completion of an action by the user.
    • Loading: Indicates that a task is in progress and requires some time to complete the action.
    • Error: Indicates that a task cannot be completed and provides guidance to the user on necessary actions to successfully finish the task.
• Signal Detection Policies Page enhancements
  The signal detection policies page has been dynamically enhanced based on user subscriptions. Tabs including Detection rules, Thread feeds, Behavioural models, and Custom exposures are now visible only based on the user's selected subscription.
  Users can access features available within their subscription, ensuring customized visibility and utilization of signal detection policies.
• Addition of Group Users Filter
  A new group users filter has been added on the Entities Overview page within the Entities module. This filter allows users to conveniently sort entities based on user groups. The user groups are entities synced from GitHub and Chronicle.
• Redirect users to New ActOns, situations and Signal pages from Single entity page
  Upon accessing a signal entity page in Entities module, users are redirected to the respective new ActOns, Situations, and Signals pages.
• Refresh functionality in Risk tab of Attack Surface Intelligence
  Introduced a refresh feature of a dashboard in Risk tab under Attack Surface Intelligence when a signal is in progress state. A message is shown on the top of the page saying that "The dashboard will get refreshed for updating the status of signal is "in progress".
• Copy icon in Query editor in the Event browser
  A copy icon has been added to the query editor of a query library, under sample queries tab, in the event browser. With this feature, you can copy your SQL query from the sample queries tab and paste it wherever required.
• Expand or collapse button in the Event browser
  Enhanced help section in the event browser with expand all or collapse all button. With this feature, you can easily expand or collapse all tabs present in the help section.
• Commonly used keywords in help of an event browser
  Added documentaion of commonly used keywords such as CURRENT TIMESTAMP, TIMESTAMP_SUB, INTERVAL, UNIX_SECONDS in the help section of an event browser. With these keywords, you can manage time and date related SQL queries effectively.
• Scrolling view of Entities for a signal in threat detection
  In threat detection, introduced a scroller to view signal details which are linked to an entity, when you click on any option under entities column of a MITRE matrix.
• Escape button in Threat Detection and Dashboards & Reports modules
  Introduced an escape button in Threat Detection and dashboards & reports modules. With this feature, you can close the side drawers that are opened while analysing each technique of a Mitre matrix and ActOns or Situations dashboards.
• Enumeration analysis type in a behavior model
  Enumeration model has been segregated into two types - rarity and deviation. You can select rarity or deviation or both types while configuring an enumeration model.
  •  
    • Rarity: In this analysis type, the model detects a rare behavior by baselining with the usual behavior of source and target ports. The usual behaviors for source and target aggregate on a daily basis.
    • Deviation: In this analysis type, the model detects an anomaly when a source connects to unusual number of targets by baselining with the defined count of targets. The count of targets aggregates on daily basis.
• Timeline widget for ASI tickets as Google Chronicle
  Attack Surface Intelligence tickets have been enabled with the Chronicle ticket template. Previously, there is no timeline match available between ASI tickets and Google Chronicle tickets. This enhancement brings you match between timeline widget of ASI tickets and Google Chronicle tickets as we are applying correlation rules to ASI tickets.
• Response column under Escalations tab in a DigitalOps ActOn
  Removed the column "Response" from escalations tab in a DigitalOps ActOn as it is redundant now. The same response values have been merged with the values in the "Status" column.
• Actions button hidden in ActOns
  We've hidden "Actions" button in ActOns UI to restrict users to perform unwanted actions. Only the users with roles such as Global Admin, Owner, and Config manager can see the "Actions" button.
• Close Situations button in Situations
  We've hidden "Close Situations" button in ActOns UI to restrict users to perform unwanted actions. Only the users with roles such as Global Admin, Owner, and Config manager can see the "Close Situations" button.
• Summary tab in the Security ActOn
  Added a summary tab in the security related ActOn. The summary gives you insights on the alert name, alert start time, when the first event occured, source IP and destination IP, how many events triggered, and actions taken on an ActOn.
• Escalation SMS for same country code
  We've enabled restrictions on sending escalation SMS to on-call members when an ActOn is triggered. Previously, we sent escalations SMS to all on-call members irrespective of their source and destination country code. Now, on-call members can receive escalation SMS if their source and destination country code matches.
  If no phone number is configured in the account, the escalation SMS will not be sent to the on-call member and the status is updated as "Completed".
  The SMS format is shown as:
  <response>you have an open incident id (Ticket_id) assigned. To acknowledge reply back with:
• Multiple IDs in Escalation call template
  When on-call member answers an escalation call, the escallation call template has been updated with the integration ID, if the integration is available, otherwise use OpsRamp ID, else use ActOn ID.
• Status "Acknowledged" in an ActOn
  The status of an ActOn changes to "Acknowledged" when an on-call member responds to an escalation. This status change enables you to know someone will be working on the ActOn, ensuring that the resolution is on the way.
• Escalation entry in the Audit log
  We have introduced an escalation entry in the audit log. This enhancement captures the time and date of all escalations triggered for a function in the audit log, ensuring smooth tracking of escalations.
• Manual escalation of an ActOn
  Now, you can escalate an ActOn, which is in closed state, to on-call responder manually by enabling an escalation policy or a function under an escalations tab of an ActOn. The users with the roles - Global Admin, Responder, Owner, Manager, Config Manager can escalate the ActOn. Currently, this feature is applicable for tenants only.
• Entities 
  • • View function details: 
      You can now view the details of functions linked to an entity by clicking the function link on the single entity page.
    • Unified Design: 
      Functions Modal across Entity list page and specific entity pages now feature the same design to maintain uniformity.
    • Enhanced User Guidance: 
      A new empty state message is displayed on the Entities Overview page, guiding users to sync entities from CMDB and security sources. Additionally, related topics are provided for users to learn about entities.
    • Display Name Visibility: 
      Display name is now visible as a column in the Entity list page and as a field in the single Entity page for better entity identification.
    • Column Ordering:  
      Reorder columns on the entity inventory page according to preference using the reordering button in the manage column.
• IP Address Enrichment 
  Public IP addresses from Azure, AWS, Chronicle, and Cloudflare are now enriched in the backend only when the IP address check box is selected while creating an enrichment policy. You can view the public IP addresses of entities in the display name column of the Entity Inventory page. 
• Enabled notifications for entities 
  You can now receive notifications when an entity is created, deleted, or updated through configured channels such as email, webhook, or Microsoft Teams.
• Attributes to control the Entity notifications in Notification Policies 
  Users can now use the entity attributes while defining the conditions for notification policies to control the entity notifications to be sent to the configured channels, when an entity is created, updated, or deleted. Various entity attributes available for filtering include Category, Class, Created Time, Critical, Display Name, Function Name, Location Name, Organization, Source Client ID, Source Name, State, Tags, Tenant, Type, Updated Time, and User Group Name.
• Added labels to Scoring rules, ActOn policy, and processing rules 
  Label field has been added to Scoring rules, ActOn Policy, and Processing rules forms. Adding labels to these rules will provide an additional context, offer easy search, and allow you to filter the scoring rules and processing rules in the listing page by a specific label.
• Filter icon added to scoring templatization rules, Acton policies, processing rules, and correlation policies 
  Previously, the filter fields were visible on the listing pages of scoring templatization rules, ActOn policies, Processing rules, and Correlation policies. Now a filter icon has been added on these listing pages. Clicking on the filter icon shows the filter fields available to narrow down the search results. 
• Import all rules from JSON file at once 
  You can now import scoring templatization rules, Acton policies, processing rules and correlation policies from the JSON file to the platform at once, eliminating the previous limitation of importing only five rules, using the select all button regardless of the pagination.
• Replaced the List Hidden Rules toggle with check box at a domain level 
  Replaced List Hidden Rules toggle with a checkbox at a domain level. With this change, you can effortlessly control rule visibility by selecting the check box to display all rules, including hidden ones, and clear this check box to show only unhidden rules.
• Advanced Filtering Options in Detection policies
  Advanced filters have been introduced on Detection policies for Rules, Threat feeds, reference list, and custom exposure list pages to define the criteria and filter the results. 
• Dynamic Page Refresh across the platform 
  Pages across the platform are refreshed automatically based on hierarchy changes, ensuring users always have relevant information displayed.
• Activity Logs for log source monitors 
  You can now access log entries for log source monitors directly on the Activity logs page. These logs will track every action performed by the user in Log source monitors.
• Top N filter for all widgets  
  Introduced a filter type "Top N" for each widget in a dashboard. With this filter, you can select the top metrics (for example top 3) in a widget while or after creating a dashboard.
• Functions column in Threat Detection 
  In threat detection module, populated Functions column with the relevant data when you export raw data from any of the technique available in the Mitre matrix.
• Schedule in Behaviors dashboard  
  In threat detection and response module, removed schedule button in behaviors dashboard.
• Escape button in Threat Detection and Threat Detection & Response 
  Introduced an escape button in Threat Detection and Threat Detection & Response modules. With this feature, you can close the side drawers that are opened while analysing each technique of a Mitre matrix.
• Design revamp for widgets in a dashboard 
  In dashboards section, when you click on any widget, you can observe the following components in the side drawer view: 
  -  Two tabs are shown in the side drawer 
  -  An inline message appears when the data is more than 10k rows and you can export the data in CSV form to your local drive
• Procedural filtering across Behavior analytics 
  Enhanced filtering mechanism in behavior analytics model page, ensuring that the data will be displayed for last 30 days whenever a user applies any filter on the dashboard.
• Recommendations for UDM field in Conversational Assistant
  Enhanced the conversational assistant with recommendations to check whether you have selected correct UDM field or not while creating a behavior model.
  
  Sample example is like:
  what is the metadata.collected_timestamp and is it a valid field?
  The field "metadata.collected_timestamp" refers to the GMT timestamp when the event was collected by the vendor's local collection infrastructure. However, it is not a valid field on its own. The valid fields are "metadata.collected_timestamp.seconds" and "metadata.collected_timestamp.nanos".
• Recommend models in Conversational Assistant 
  Enriched the conversational assistant with log sources and past models that you have built previously. Hence, the conversational assistant can recommend you the additional models to identify anomalies, or unauthorized activities. 
   
  Sample example is like: 
  Model Name: "Unusual Database Access" 
  Model Description: This model would monitor access to databases and alert when there is unusual or unexpected access, such as access at odd hours or from unusual locations. This could help identify potential data breaches or unauthorized access. 
  Log Source Used: Google Cloud SQL, AWS RDS
• Outlier column in Behavior analytics 
  Added a column named "Outlier Behavior" to a table in the Behavior analytics.
• Hard delete for Behavior models or policies  
  We have implemented a permanent deletion of behavior policies or models including tables policy summary, run history, job history, source, and baseline tables.
• Enumeration model with analysis type - Rarity and Deviation 
  Introduced a new enumeration model type named "Rarity and Deviation" with daily aggregation intervals to identify anomalies.
• Collapse/expand filter panel in a Behavior model 
  Introduced a collapse or expand option for the right filter panel in each behavior model.
• Baseline for day of week and hour of day in a Behavior model 
  Created baselines for all days of a week and all hours of a day to identify anomalies when the model detects a deviation from the baseline.
• New filter symbols on the right filter panel in a Behavior model 
  Enhanced the right filter panel with "include or exclude or only this" options to filter the data in a histogram shown in each behavior model.
• Customer data deletion 
  We have enhanced the backend services so that if any customer wants to remove the data, including ticket information, from Resolution Intelligence Cloud, the data will be deleted permanently from the platform.
• Consistency in color codes 
  In the ActOns UI, enabled same color codes for status and priority under relevant ActOns and Correlated signals tabs.
• Revamp Situations UI 
  - Introduced "Manage Columns" feature. With this feature, you can pick your desired columns to be shown on the listing page. 
  - Added a filter icon at the right corner. When you click on this icon, a list of filters appears on the screen. In addition to the created date and updated date, and Situation type (Secuirty or DigitalOps) filters, advanced filters such as Signal source, Functions, Category and Sub-category, Class and Sub-class have been added. 
  - You can search Situations by Situation ID, Title, Signal ID, External ID, and summary using search bar to show relevant categories on the listing page.
• Icon for escalations in ActOns UI 
  An ActOn is marked with an icon if any escalation takes place on it and this icon is applicable for both card and table view.
• Reordering and hiding columns across Resolutions 
  The tables in resolutions module, including ActOns, Situations, and Signals, have been enhanced with manage columns. With this feature, you can reorder and control the columns that you do or don't want to include in a table view. 
• Bulk actions for ActOns and Situations 
  Bulk actions for ActOns - Mark me as Owner, Change Priority,and close ActOns have been implemented in the ActOns UI. With these actions, you can mark one or more ActOns and apply any of the bulk action on them. 
  Bulk action for Situations - Close Situations has been implemented in Situations UI. With this, you can mark one or more Situations and apply the bulk action on them.
• Escalations filter in ActOns’ quick filters 
  Added escalations filter in the quick filters of ActOns UI. With this feature, you can filter out the ActOns based on the escalations triggered by selecting "yes" or "no" in the quick filters menu.
• Customized templates and attachments for Notes tab in ActOn 
  You can add pre-defined templates while writing your notes under notes tab in the ActOns' work area.
• On-call member mentions in notes under Notes tab in ActOn 
  Now you can mention on-call members while writing notes under notes tab in the ActOns' work area. A notification will be delivered to on-call member regarding the updates done in the ActOn.
• Top macro field for Situation title in Correlation Policies 
  In correlation policies, when you set the macro field with "top", the resultant situation title considers the topmost cited value during correlation of similar signals.