Skip to main content

Cyware Fusion and Threat Response

Release Notes 2.12

What’s New in CFTR 2.12

CFTR version 2.12 has been significantly upgraded with a number of new and powerful capabilities that include:

  • Incident Workflow: A simple yet powerful and intuitive workflow-based Form Management mechanism for Incidents. This helps CFTR admins to create multiple Incident Workflows for adopting different responses for various types of incidents and custom conditions.

  • Incident Visualizer: CFTR offers a powerful graphical representation of the components (added in the Connect the Dots tab) and the indicators (added in the Indicators tab) and many features. This helps security analysts with an effective visualization of an incident with its related components and indicators, thereby gaining more context on the incident.

  • Templates for Incident Workflows: Additional capability in Template Management to create templates for specific Incident Workflows. This helps you to configure various templates for export and merged formats for specific Incident Workflows.

  • Risk Score: A new Risk Score column in the Devices and Users listing page that displays the risk scores for all devices and users. This helps security analysts to identify the high-risk devices and users from the list page.

  • Other additional enhancements include:

    • Searching for specific fields using the Open APIs

    • Separate logos for Dark and Light modes

    • Additional incident details in the Incidents listing page

    • Additional fields in Template Management

    • Updated default OTP expiration time for LDAP authentication

Incident Workflow

CFTR v2.12 introduces a powerful workflow-based Form Management system in the form of Incident Workflows. The Incident Workflow defines the lifecycle that security teams should follow for threat response. The Incident Workflow provides the needed flexibility to CFTR admins for developing multiple incident response flows as per the incident response workflow requirements of the organizations. Using the Incident Workflow you can define the phases of the incident response. With Incident Workflows, you can:

  • Define the fields of the incident forms

  • Create custom phases

  • Reuse existing phases

  • Define the phases of the incident response

  • Define the Linear and Non-Linear Incident Workflows

  • Reuse fields from the Field Library

  • Create new fields

  • Clone Incident Workflows

  • Activate/deactivate Incident Workflows

  • Define a default Incident Workflow

The following image shows an example of an Incident Workflow configuration:

unnamed__23_.jpg

The following image shows an example of the list of the published Incident Workflows:

unnamed__24_.jpg

In Incident Workflows, you can use the Field Settings of a field to define its Conditional Logic. Using Conditional Logic, you can:

  • Define rules to show or hide a field.

  • Define rules to configure a field as read-only.

  • Define the conditions to apply a rule.

  • Choose to apply a rule when all or any of the conditions match.

unnamed__50_.png

Incident Workflows also enables CFTR admins to create multiple Workflow Mappings for the Incident Workflows. Using the Workflow Mappings you can automatically assign the Incident Workflows to various types of incidents. You can configure the parent parameters for the Workflow Mappings using the single-select fields from the Preparation tab.

unnamed__25_.jpg

You can also configure a default Incident Workflow for all other incidents that do not fall under any of the Workflow Mappings.

Incident Visualizer

Important: The Network Diagram feature is now renamed as Incident Visualizer. Incident Visualizer has been considerably enhanced to provide improved visualization capabilities and helps security analysts to investigate security incidents with improved insights. In addition to the existing capability to graphically represent the Connect the Dots components and indicators, the Incident Visualizer of CFTR 2.12 provides the following new capabilities:

  • Add components and indicators in the Incident Visualizer tab.

  • Group/Ungroup the components and indicators as per the types.

  • Change the visualization layout. Available layouts:

    • Organic

    • Hierarchy

  • Export the visualization layout. The available export formats are PNG, JPEG, and SVG.

  • View Connect the Dots details of each component and indicator.

  • Add connections to the components and indicators.

  • Expand associations to further view the individual connection details

unnamed__26_.jpg
unnamed__27_.jpg

Risk Score for Devices and Users

The Devices and Users listing pages display risk scores for all the devices and users available in CFTR. The risk score is calculated based on the type, severity, and number of components that are connected to the devices and users. The list of devices and users can be sorted based on the risk score. This enables security analysts to focus on the high risk devices and users to mitigate the risk faster.

unnamed__28_.jpg

Template Management for Incident Workflows

Incident Workflows in Template Management provides the flexibility to create templates for a specific Incident Workflow. You can create templates for all Incident Workflows or choose to create a template for a specific Incident Workflow. This allows you to apply a specific template for all incidents that use a specific Incident Workflow. We have also enabled auto-creation of templates whenever there is a new workflow created.

unnamed__51_.png

New Fields in the Description of the Incidents Listing UI

In addition to the incident details displayed on the Incidents listing page in the previous CFTR versions, the Incidents listing page of CFTR 2.12 displays the following new information about the incidents under the More button of the incidents:

  • Location

  • Business Units

  • Resolution due date

New Data Fields in Template Management

Along with all the existing fields, CFTR admins can now use the following new fields in the Incidents and Actions templates:

  • Labels

  • Playbooks

  • Closed

  • Closed by

This allows analysts to have extensive control over the incident and action templates. Additionally, the new field details can be exported to various files.

Intel Enrichment Shows Configured Threat Intel Apps Only

In the previous versions of CFTR, the Intel Enrichment tab in the Threat Intel module displayed both configured and not configured threat intel applications. In CFTR 2.12, the Intel Enrichment tab is in sync with the Orchestrate application and displays the configured threat intel applications only. This helps you in getting more accurate threat intel data.

Default OTP Expiration Time Set to 30 mins

In the previous versions of CFTR, the default OTP expiration time for LDAP authentication under Configurations > Authentication was 300 minutes. In CFTR 2.12, the default OTP expiration time has been updated to 30 minutes.

Search for any Field using Open APIs

In previous versions of CFTR, the global search was used to search through all fields. In CFTR 2.12, using the Open APIs, CFTR Admins can now specify the fields to be searched and narrow down the search results.

API Sample:

cftrapi/incident/?advanced_search=title,description:test

In the above API sample, “title” and “description” are the field names and “test” is the search query text.

View Playbook Tags in Run Playbooks

Previously, the Run Playbooks page under Incidents and Actions did not show the Playbook Tags of the playbooks. Now, with the Playbook Tags, you can easily identify a playbook for your incidents and actions. You can also view the Playbook Tags in the Playbook Run Logs after a playbook is run.

Search for Device Serial Numbers

Searching for devices using the Open APIs has now been enhanced to return the serial number of the device along with the existing device parameters. This helps you to search for a specific device using its serial number.