For this release we are focused on new improvement functionalities as well as features in Security Operations. The SecOps team wants to focus on delivering a couple of general improvements around Alert API to increase performance and reduce unused features.
New filtering options are added to the triage page to help user functionality when selecting multiple priorities to focus on, as well performing bulk changes to Alerts. We are excited with some of these changes as they not only improve the overall interaction that users have with SecOps, but also improve the effectiveness of how it performs.
More improvements are planned in future releases to help improve workflows while enabling analysts with the right capabilities to action events.
Improvements
Improvement of Alert API
Impact calculation
The configuration of the impact is displayed in the Settings window and can be enabled or disabled to improve the overall performance:
Triage workbench improvement
Multiple priority selection
This function enables you to select two or more priorities at the same time to filter the alerts:
Bulk changes of alert status
The general idea is to enable you to change the status of a given Alert group which includes the “Add to Investigation” as well as “Change Status” actions. It is also to change to any other given status changes available from the drop-down menu of the Alert type.
For this particular function, the workflow is as follows:
In the Triage workbench you need to first group the filters by Alert type.
By clicking the Filter button, the app performs the actions required to match alerts with the filters. Then click ACTIONS and Change Status in a group of alerts.
The app shows a dialog warning you about the change that you are about to perform and that this change is applied to the whole set of alerts in the group.
You select the final status of the alerts.
If the selected status is one that can have annotations related, the app shows the annotation title/text to be added with the status change.
Click SAVE to perform the bulk change.
The app changes the status of all the alerts in the group and creates the annotation if needed.
If the bulk change is correctly performed, a successful message is shown:
If an error occurs while changing the status, you have to decide if you want to:
Keep the dialog and show the error.
Close the dialog and show a notification in the triage page.
Deletion of SightingDB
Sighting DB is designed to scale writing and reading a count of attributes, tracking when it was first and last seen. Given the limited usage of this particular enrichment, it has been deprecated and is no longer shown in settings.