Unified experience capabilities and modal screens

  • Release version: Zurich
  • Updated July 31, 2025
  • 5 minutes to read
    • Summarize
    Summarized using AI
    This content was generated using new OpenAI-powered functionality. Results are provided on an as is basis and are not guaranteed to be accurate or complete.

    Summary of Unified Experience Capabilities and Modal Screens

    The Unified Experience capabilities streamline the interaction of Security Analysts with various integrations through specific screens for each capability. This framework is essential for efficiently managing and responding to security incidents by providing tailored inputs based on the selected implementation.

    Show full answer Show less

    Key Features

    • Run Threat Look Up: Utilizes Screen 1 for selecting implementations without additional inputs.
    • Run Observable Enrichment: Also uses Screen 1, allowing selection of implementations with no common inputs required.
    • Sighting Search: Involves Screen 1 for implementation selection and Screen 2 for common inputs like date and time frequencies.
    • Submit to Sandbox: Combines Screen 1 for selection with Screen 3 for implementation-specific inputs, varying by the chosen integration.
    • Publish to Watchlist & Allow/Block Request: Simple interface using Screen 1 for selecting implementations only.
    • Get File: Uses Screen 1 for selection and requires file name and path as common inputs on Screen 2.
    • Isolate Host / Un-Isolate Host: Combines Screen 1 for selection with varying inputs on Screen 3 based on the chosen implementation.
    • Run Additional Actions: Similar to Isolate Host, requiring specific inputs on Screen 3 without common inputs.

    Key Outcomes

    By utilizing these capabilities, Security Analysts can efficiently select and execute actions across multiple integrations, tailored to the specific requirements of each implementation. This leads to enhanced incident response, improved workflow, and a more organized operational process in handling security threats.

    The following table below describes the capabilities and applicable screens.

    Table 1. Capabilities and applicable screens table
    Capability UX frameworks screens applicable Integrations supported
    Run Threat Look Up Only Screen 1 – Select Implementations is applicable.

    There are no common inputs or implementation specific inputs applicable for Run Threat Look Up.

    So, only screen 1 is presented to the Security Analyst to select one or more implementations. After selecting the implementations, the Security Analyst will be able to submit the action.
    • Virus Total
    • Hybrid Analysis
    • Security Incident Response Integration with Zscaler
    • Phistank
    • Metadefender
    • Threatcrowd
    • Have I Been Pawned?
    • Crowd Strike Falcon Intelligence
    Run Observable Enrichment Only Screen 1 – Select Implementations is applicable

    There are no common inputs or implementation specific inputs applicable for Run Observable Enrichment.

    So, only screen 1 is presented to the Security Analyst to select one or more implementations. After selecting the implementations, the Security Analyst will be able to submit the action.
    • MISP
    • Microsoft Defender Endpoint
    • Shodan
    • RiskIQ
    • WHOIS
    • Reverse WHOIS
    Run Sighting Search/Run Web Sighting Search/Run Email Sighting Search Screen 1 – Select Implementations and Screen 2 – Common Inputs are applicable.

    Sighting search takes date and time frequency as common inputs across multiple implementations of Splunk and other integrations.

    This screen will be presented to the Security Analyst to capture date and time frequencies.

    For integrations that don’t require these inputs, for example FireEye HX, they will be ignored. After selecting one or more implementations and providing common inputs, the Security Analyst will be able to submit the action.
    • Splunk-incident Enrichment
    • Carbon Black
    • Elastic search
    • FireEye HX
    • McaFee ESM
    • MSFT Defender for endpoint
    • Splunk Sighting
    • Qradar sighting search
    • MISP
    Submit to Sandbox Screen 1 – Select Implementations and Screen 3 – Implementation specific inputs are applicable.

    Submit to Sandbox takes different inputs for different implementations. There are no common inputs for this capability currently.

    For example, when the Analyst selects Crowdstrike Falcon X Quick Scan, Crowdstrike Falcon X Windows 64, Crowdstrike Falcon X Linux, and Zscaler, the inputs vary. Crowdstrike Falcon X Quick scan and Zscaler don’t need further run time inputs. Crowdstrike Falcon X Windows 64 takes optional run time inputs that differs from Crowdstrike Falcon X Linux. So, these can be provided in screen 3 specifically against individual selected implementations as applicable.
    • CrowdStrike Falcon X Sandbox Integration
    • Security Incident Response Integration with Zscaler
    Publish to Watchlist Only Screen 1 – Select Implementations is applicable.

    There are no common inputs or implementation specific inputs applicable for Publish to Watchlist.

    So, only screen 1 is presented to the Security Analyst to select one or more implementations. After selecting the implementations, the Security Analyst will be able to submit the action.

    		 Crowdstrike Falcon Host
    Allow/Block Request Only Screen 1 – Select Implementations is applicable.

    There are no common inputs or implementation specific inputs applicable for Allow/Block Request.

    So, only screen 1 is presented to the Security Analyst to select one or more implementations. After selecting the implementations, the Security Analyst will be able to submit the action.
    • Palo Alto Network NGFW
    • Check Point NGFW
    • Security Incident Response Integration with Zscaler
    Get Host Details Only Screen 1 – Select Implementations is applicable.

    There are no common inputs or implementation specific inputs applicable for Get Host Details.

    So, only screen 1 is presented to the Security Analyst to select one or more implementations. After selecting the implementations, the Security Analyst will be able to submit the action.
    • FireEye HX
    • Microsoft Defender for Endpoint
    Get File Screen 1 – Select Implementations and Screen 2 – Common Inputs are applicable.

    Get File takes file name, path as common inputs. After selecting one or more implementations and providing common inputs, the Security Analyst will be able to submit the action.

    		 FireEye HX
    Get Network Statistics Only Screen 1 – Select Implementations is applicable.

    There are no common inputs or implementation specific inputs applicable for Get Network Statistics. So, only screen 1 is presented to the Security Analyst to select one or more implementations. After selecting the implementations, the Security Analyst will be able to submit the action.
    • FireEye HX
    • NetStat
    Get Running Processes Only Screen 1 – Select Implementations is applicable.

    There are no common inputs or implementation specific inputs applicable for Get Running Processes.

    So, only screen 1 is presented to the Security Analyst to select one or more implementations. After selecting the implementations, the Security Analyst will be able to submit the action.
    • FireEye HX
    • Carbon Black
    • System Command
    Get Running Services Only Screen 1 – Select Implementations is applicable.

    There are no common inputs or implementation specific inputs applicable for Get Running Services.

    So, only screen 1 is presented to the Analyst to select one or more implementations. After selecting the implementations, the Analyst will be able to submit the action.

    		 FireEye HX
    Isolate Host / Un-Isolate Host Screen 1 – Select Implementations and Screen 3 – Implementation specific inputs are applicable.

    Isolate Host/Un-isolate Host takes different inputs for different implementations.

    There are no common inputs for this capability currently. For example, when the Analyst selects FireEye HX and Microsoft Defender for Endpoint, the inputs vary.

    FireEye HX doesn’t need run time inputs. On the other hand Microsoft Defender takes inputs such as Isolation Type and Comments.

    So, these can be provided in screen 3 specifically against individual selected implementations as applicable.
    • FireEye HX
    • Microsoft Defender Endpoint
    • Carbon Black
    Run Additional Actions Screen 1 – Select Implementations and Screen 3 – Implementation specific inputs are applicable.

    Run Additional Actions Host takes different inputs for different implementations. There are no common inputs for this capability currently.

    For example, when the Analyst selects FireEye HX Standard Investigative Details Script, FireEye HX Triage Acquisition and Crowdstrike Falcon Insight reg unload, the inputs vary.

    FireEye HX Standard Investigative Details Script and FireEye HX Triage Acquisition take Comments as the input that could be different for both. Crowdstrike Falcon Insight reg unload takes Subkey as the input.

    So, these can be provided in screen 3 specifically against individual selected implementations as applicable.
    Note:
    Currently supports only single selection of implementation. In future releases multi selection of implementation will be supported.
    • FireEye HX
    • Microsoft Defender for Endpoint
    • Crowdstrike Falcon Insight