Unified experience capabilities and modal screens

  • Release version: Washingtondc
  • Updated February 1, 2024
  • 4 minutes to read
    • Summarize
    Summarized using AI
    This content was generated using new OpenAI-powered functionality. Results are provided on an as is basis and are not guaranteed to be accurate or complete.

    Summary of Unified Experience Capabilities and Modal Screens

    This document outlines the unified experience capabilities within the Security Incident Response (SIR) Workspace, specifically focusing on various action implementations available to Security Analysts. Each capability includes applicable screens, required inputs, and supported integrations, facilitating streamlined incident response processes.

    Show full answer Show less

    Key Features

    • Run Threat Look Up: Single screen for selecting implementations without additional inputs.
    • Run Observable Enrichment: Similar to Threat Look Up, allows selection of implementations with no common inputs.
    • Sighting Searches: Requires selection of implementations and common date/time inputs for various integrations.
    • Submit to Sandbox: Involves selecting implementations with varying inputs specific to each.
    • Publish to Watchlist: Single screen for implementation selection, no inputs needed.
    • Allow/Block Request: Allows analysts to select implementations with no additional inputs.
    • Get Host Details: Focuses on implementation selection only.
    • Get File: Requires file name and path as common inputs after selecting implementations.
    • Get Network Statistics, Get Running Processes, Get Running Services: Each requires only implementation selection.
    • Isolate/Un-Isolate Host: Involves varying inputs based on the selected implementation.
    • Run Additional Actions: Requires selecting implementations and specific inputs for each.

    Key Outcomes

    By utilizing these capabilities, Security Analysts can efficiently manage security incidents through a structured and integrated approach. The ability to select specific implementations and input relevant data enhances decision-making and streamlines response actions, ultimately leading to more effective incident management in the Security Incident Response Workspace.

    The following table below describes the capabilities and applicable screens.

    Table 1.
    Capability UX Frameworks Screens Applicable Integrations Supported
    Run Threat Look Up Only Screen 1 – Select Implementations is applicable.

    There are no common inputs or implementation specific inputs applicable for Run Threat Look Up.

    So, only screen 1 is presented to the Security Analyst to select one or more implementations. After selecting the implementations, the Security Analyst will be able to submit the action.
    • Virus Total
    • Hybrid Analysis
    • Security Incident Response Integration with Zscaler
    • Phistank
    • Metadefender
    • Threatcrowd
    • Have I Been Pawned?
    • Crowd Strike Falcon Intelligence
    Run Observable Enrichment Only Screen 1 – Select Implementations is applicable

    There are no common inputs or implementation specific inputs applicable for Run Observable Enrichment.

    So, only screen 1 is presented to the Security Analyst to select one or more implementations. After selecting the implementations, the Security Analyst will be able to submit the action.
    • MISP
    • Microsoft Defender Endpoint
    • Shodan
    • RiskIQ
    • WHOIS
    • Reverse WHOIS
    Run Sighting Search/Run Web Sighting Search/Run Email Sighting Search Screen 1 – Select Implementations and Screen 2 – Common Inputs are applicable.

    Sighting search takes date and time frequency as common inputs across multiple implementations of Splunk and other integrations.

    This screen will be presented to the Security Analyst to capture date and time frequencies.

    For integrations that don’t require these inputs, for example FireEye HX, they will be ignored. After selecting one or more implementations and providing common inputs, the Security Analyst will be able to submit the action.
    • Splunk-incident Enrichment
    • Carbon Black
    • Elastic search
    • FireEye HX
    • McaFee ESM
    • MSFT Defender for endpoint
    • Splunk Sighting
    • Qradar sighting search
    • MISP
    Submit to Sandbox Screen 1 – Select Implementations and Screen 3 – Implementation specific inputs are applicable.

    Submit to Sandbox takes different inputs for different implementations. There are no common inputs for this capability currently.

    For example, when the Analyst selects Crowdstrike Falcon X Quick Scan, Crowdstrike Falcon X Windows 64, Crowdstrike Falcon X Linux, and Zscaler, the inputs vary. Crowdstrike Falcon X Quick scan and Zscaler don’t need further run time inputs. Crowdstrike Falcon X Windows 64 takes optional run time inputs that differs from Crowdstrike Falcon X Linux. So, these can be provided in screen 3 specifically against individual selected implementations as applicable.
    • CrowdStrike Falcon X Sandbox Integration
    • Security Incident Response Integration with Zscaler
    Publish to Watchlist Only Screen 1 – Select Implementations is applicable.

    There are no common inputs or implementation specific inputs applicable for Publish to Watchlist.

    So, only screen 1 is presented to the Security Analyst to select one or more implementations. After selecting the implementations, the Security Analyst will be able to submit the action.

    		 Crowdstrike Falcon Host
    Allow/Block Request Only Screen 1 – Select Implementations is applicable.

    There are no common inputs or implementation specific inputs applicable for Allow/Block Request.

    So, only screen 1 is presented to the Security Analyst to select one or more implementations. After selecting the implementations, the Security Analyst will be able to submit the action.
    • Palo Alto Network NGFW
    • Check Point NGFW
    • Security Incident Response Integration with Zscaler
    Get Host Details Only Screen 1 – Select Implementations is applicable.

    There are no common inputs or implementation specific inputs applicable for Get Host Details.

    So, only screen 1 is presented to the Security Analyst to select one or more implementations. After selecting the implementations, the Security Analyst will be able to submit the action.
    • FireEye HX
    • Microsoft Defender for Endpoint
    Get File Screen 1 – Select Implementations and Screen 2 – Common Inputs are applicable.

    Get File takes file name, path as common inputs. After selecting one or more implementations and providing common inputs, the Security Analyst will be able to submit the action.

    		 FireEye HX
    Get Network Statistics Only Screen 1 – Select Implementations is applicable.

    There are no common inputs or implementation specific inputs applicable for Get Network Statistics. So, only screen 1 is presented to the Security Analyst to select one or more implementations. After selecting the implementations, the Security Analyst will be able to submit the action.
    • FireEye HX
    • NetStat
    Get Running Processes Only Screen 1 – Select Implementations is applicable.

    There are no common inputs or implementation specific inputs applicable for Get Running Processes.

    So, only screen 1 is presented to the Security Analyst to select one or more implementations. After selecting the implementations, the Security Analyst will be able to submit the action.
    • FireEye HX
    • Carbon Black
    • System Command
    Get Running Services Only Screen 1 – Select Implementations is applicable.

    There are no common inputs or implementation specific inputs applicable for Get Running Services.

    So, only screen 1 is presented to the Analyst to select one or more implementations. After selecting the implementations, the Analyst will be able to submit the action.

    		 FireEye HX
    Isolate Host / Un-Isolate Host Screen 1 – Select Implementations and Screen 3 – Implementation specific inputs are applicable.

    Isolate Host/Un-isolate Host takes different inputs for different implementations.

    There are no common inputs for this capability currently. For example, when the Analyst selects FireEye HX and Microsoft Defender for Endpoint, the inputs vary.

    FireEye HX doesn’t need run time inputs. On the other hand Microsoft Defender takes inputs such as Isolation Type and Comments.

    So, these can be provided in screen 3 specifically against individual selected implementations as applicable.
    • FireEye HX
    • Microsoft Defender Endpoint
    • Carbon Black
    Run Additional Actions Screen 1 – Select Implementations and Screen 3 – Implementation specific inputs are applicable.

    Run Additional Actions Host takes different inputs for different implementations. There are no common inputs for this capability currently.

    For example, when the Analyst selects FireEye HX Standard Investigative Details Script, FireEye HX Triage Acquisition and Crowdstrike Falcon Insight reg unload, the inputs vary.

    FireEye HX Standard Investigative Details Script and FireEye HX Triage Acquisition take Comments as the input that could be different for both. Crowdstrike Falcon Insight reg unload takes Subkey as the input.

    So, these can be provided in screen 3 specifically against individual selected implementations as applicable.
    Note:
    Currently supports only single selection of implementation. In future releases multi selection of implementation will be supported.
    • FireEye HX
    • Microsoft Defender for Endpoint
    • Crowdstrike Falcon Insight