Release Notes 2.10
New Feature
Role-Based Access Control of CSOL Playbooks
The new feature allows you to restrict the usage of Playbooks to certain user groups depending on the user group configuration. For example, for entry-level Threat Intel Analysts, SOC Managers/Incident Managers can provide a restrictive set of permissions like editing or running specific Playbooks, preventing access to view Playbooks depending on the Playbook category. With the new RBAC, Admins can avoid the risk of providing complete Playbook access to all User Groups.
Users can now execute Incident response processes with dynamic Playbooks from CSOL in CFTR. With this feature, users can configure and implement custom scripts, devise workflows, run conditions and activities to their Incident Response Plan. Playbooks from CSOL are available under the Incidents and Actions module of CFTR.
RBAC access is restricted until enabled under the Configurations > CSOL Integrations.
RBAC Validations must be provided while creating a User Group under User Management. For example, CSOL Playbook Tags. Users who have access to selected Playbook Tags would view only the Playbooks associated with those Tags under Playbook Run Logs; Suggested and All Playbooks.
Key benefits of integrating CSOL Playbooks with CFTR,
While creating a User Group:
Define Role-Based Access Control, View/Edit
Set access to specific topics with Playbook Tags
With View Access: View Apps and Sub-Playbooks
With Edit Access: View Apps and Sub-Playbooks, Update/Edit/Run Playbook
Restrict Terminal Access
Admins can also restrict/set access to the Terminal module under User Group Management.
With View Access: View Terminal Module (Read-only)
With Edit Access: View/Update/Edit/Run an Action in the terminal
Unique Field Setup for the Asset Module
Admins can now accomplish the unique field validation during the insertion of Bulk Imports to ensure data integrity across Assets such as Devices, Softwares, Users, and Applications. A Unique Field Setup validates the existing database for duplicate data and prevents the insertion of new data that is identical to the existing data in the database during Bulk Import.
Admins can configure the unique field under the Configurations module. They are provided with the Import XLSX template for the upload of data. The XLSX file to be uploaded can have numerous data consisting of multiple columns with at least one field defined as the primary key. The primary key is used as a reference to eliminate duplicate or repetitive data and maintain uniqueness across Assets.
Key benefits of Unique Field setup:
Avoids the creation of Assets with the same ID, hostname, status, IP address, label, etc.
Checks for existing asset records that were manually created
Lets the user choose to have a combination of fields for maximum data uniqueness
Defines custom fields during a bulk upload
Specifies error message along with duplicate identification that is emailed to the user
Eliminates fields that are inactive during duplicate validation
Bulk Export of Incident Details
Users can now choose to Export Incident details directly from an Incident Listing Page. CFTR supports Export in the XLS, XLSX, PDF, HTML and JSON format. The Advanced Export tab includes Incident Export Templates and Additional Recipients. Users can choose the template for the Export, customize the fields to be added in the export template and include external recipient details for sharing the report.
Users can configure Templates for Export under the Template Management > Export section.
A maximum of 1000 exports is allowed during a bulk export.
Users can add additional recipient email IDs while exporting Incidents. For example, Stakeholders, Auditors, etc.
An additional data support for the export template include,
TTD - Time Taken to Detect
TTR- Time Taken to Resolve
Customized Reports on Dashboards
The Custom Reports feature for Dashboards offers greater flexibility by allowing the users to create a custom breakdown of widgets to analyze more specific groupings of their data. Admins can filter report data, choose how to represent data graphically, change date granularity, and so on.
Our recent feature additions to Reports include,
Adding existing widgets or creating custom widgets
Previewing the Report as per design
Configuring file formats in pdf, xlsx or xls
With PDF file format, users can choose to customize the Date Range, Schedule Report, Page Size, Orientation, Logo, Header, and Footer.
With XLSX and XLS file format, users can choose to customize the Date Range and Schedule Report.
Manage User Group Assignment
With Manage User Group Assignment, Admins can create and limit the Workflow Assignments for the User Groups that perform the same role or to those that have the time to accommodate inundate tasks at different intervals. For example, when you map the group A, B, and C to Y and Z, a group re-assignment to assign Actions is possible only to the group of Y and Z.
When there is a need for User Group revision, Admins can define permissions that allow assigning an Action to other user groups.
With this feature in place, the Admins can,
Restrict the user to assign an Action to any inappropriate group(s)
Seamlessly monitor and claim ownership of Assignments as per the Workflow configured.
Form Management - One Time Entry Field
Admins can now restrict the users from editing field data once entered to protect the authenticity of the data and provide field-level security. The field value entered becomes a read-only field display after saving it for the first time.
For example, you can strive to protect a sensitive field such as a user's social security number without having to edit the user's field after entry.
Keyboard Shortcuts for CFTR Application Access
Users can now apply keyboard shortcuts to navigate through and perform tasks in CFTR. Searchable CFTR application functions in Actions and Incidents are easily accessible while users work and help boost productivity. Examples of shortcut keys include
Create a New Incident - Option + Shift + I
Export the Incidents List - Option + E
Direct to Actions Page - Option + X
CFTR accepts standard Microsoft Windows and macOS navigation keys in addition to application-specific keys.
Enhancements
SLA Escalation Notification with Email CC
Admins will now be able to add CC to all the SLA Escalation emails under Create Escalation for Incidents and Actions. The email IDs used in CC will allow them to send emails to external CFTR recipients they desire.
SLA Escalations under Activity Logs
When an SLA is violated, an Escalation email is sent to the user specifying the breach. Users can now track the SLA Escalation emails for Incidents and Actions in the application under Activity Logs. A detailed list view that includes the timestamp, Incident/Action number, Type, and Level of the SLA Breach, is briefed under Activity Logs.
Email Customization
The Email Customization feature offers the ability to revamp the HTML template that generates emails from your CFTR account. The notification template includes events that are triggered when a new Incident is assigned, an enhancement closed, a PIR re-opened, and much more. They are emailed to the respective assignee depending on the event and the notification settings. You can also customize your email notifications by editing the content of the email, adding an attachment or a link, changing the text formats, etc. for specific templates.
Re-Invite/Password Reset User Account
Admins can now reactivate a User account for anyone who has an expired invitation link or lost the invitation link using a reset password. An activation email is sent to the respective user when Admin selects the Re-Invite option from the User's profile under User Management.