Mission Control
The Mission Control features help you to make decisions and manage an incident throughout the incident response process. The features include:
Notes
During the incident response, you can add notes about important events in the incident response for reference. Any CFTR user who has access to an incident can view and add notes in the incident. For more information, see Add Notes.
Activity Logs
Activity logs enable you to keep track of all the updates of an incident. Use the activity logs to trace the incident updates during incident retrospection. For example, to get the details of updates to a specific field in an incident phase, go to activity logs and search for the field name to view the update time, the user who updated the field, and the old and new values of the field. You can search, filter, and export the activity logs. For more information, see Manage Activity Logs.
Terminal
Terminal is a fixed format in the Command Line Interface (CLI) that enables you to interact with the integrated applications and Orchestrate Playbooks to perform tasks such as analyzing vulnerabilities and Indicators of Compromise (IOCs), searching for suspicious logs, and more. Also, if your application is running on multiple instances, then you can select the required application instance in which you want to perform the tasks.
Note
To run Orchestrate Playbooks using Terminal, Orchestrate must be integrated and enabled in your CFTR application. For more information, see Integrate Orchestrate in CFTR.
To perform a task using Terminal, do the following:
Open an incident, select Mission Control on the left, and click Terminal.
On the Select an App prompt, select an application. For example, CTIX.
Select an action to be performed. For example, Fetch IOC Details.
Select an application instance.
Select an input parameter and enter a value. For example, to retrieve the details of an IP IOC type, select the input parameter as IP Address and enter the IP address.
Note
You must provide the values for all required parameters to run a task.
Press Enter to run the task.
Terminal runs the task and displays the details on the terminal prompt.
Timeline
Timeline enables you to track the total time spent on the incident and on each phase of the incident response. The Green milestones in the timeline indicate that there is a change in phase. Each milestone displays:
The date and time at which a phase is changed
The current phase of the incident
The username of the user who changed the phase
The duration between the two milestones indicates the time taken between the two phases.
Connect the Dots
You can draw contextual intelligence on complex threat campaigns, identify potential attacker trajectories, and establish hidden threat patterns by uncovering correlations between isolated threats and incidents. Using Connect the Dots, you can connect various types of CFTR modules that are related to an incident. You can also visualize the connection between the connected modules and the incident in the Incident Visualizer. For example, you can connect related incidents, actions, malware, and more. To view the connected modules, go to Mission Control > Connect the Dots. For more information, see Connect the Dots.
Threat Intel
In addition to Connect the Dots, you can draw more contextual intelligence about an incident by connecting the Indicators of Compromise (IOCs) that are related to the incident. Using Threat Intel, you can connect various indicators and manage them. You can also visualize the connection between the connected indicators and the incident in the Incident Visualizer. For example, you can connect the related IP addresses, URLs, email IDs, and more. To view the connected indicators, go to Mission Control > Threat Intel. Threat Intel displays the indicators that are already connected to the incident under the respective indicator types.
To connect indicators to an incident, do the following:
On Threat Intel, click Connect More.
Select an indicator type. For example, URL.
Enter the indicator details. For example, https://www.sampledomain.com. You can enter multiple indicators in separate lines.
Note
To prevent unintended opening of malicious indicators, Cyware recommends you defang the indicators and then add them. For example, hxxps[:]//www[.]sampledomain[.]com. To know more about how to defang indicators, see Fang-Defang.
Click Save.
The indicators appear in Threat Intel under the respective indicator type. When a new IOC is associated with an incident and is not found in CTIX, CFTR automatically adds the IOC directly in CTIX. This eliminates the need for duplicate efforts in manually adding missing IOCs to CTIX.
Note
CTIX must be integrated and enabled in CFTR to automatically add missing indicators to CTIX. For more information, see Integrate CTIX.
Connect CTIX Indicators with Incident
Enable integration with CTIX on your CFTR instance to view indicators. This enables you to access real-time CTIX-enriched threat data on CFTR for effective incident response.
Note
Ensure that the indicator types of CFTR and CTIX objects are mapped under Admin Panel > Configurations > Integrations > CTIX. Else, the connected indicators will not appear under the appropriate indicator type in Threat Intel.
To connect CTIX indicators with an incident in CFTR, do the following:
On Threat Intel, in the top-right corner, click Add via CTIX.
Select an indicator type.
Select the indicators.
Click Save.
The selected indicators are connected to the incident in the background. On the top app bar, click Background Processes to view the progress. After the indicators are connected, on the top-right corner of the incident, click Refresh to view the new connections under Threat Intel.
View Threat Data Details
Note
To view the CTIX threat data, you must be configured as a user on CTIX with the same email ID.
The indicators that are added from CTIX are indicated with the View on CTIX icon. To view the threat data details of an indicator on CTIX, click View on CTIX. When a connected threat data object is deleted from CTIX, the CTIX icon on the object shows that the object is deleted from CTIX.
Update Connected Indicators
You can add more indicators of the connected indicator type or remove connections. To add or remove connections, do the following:
On Threat Intel , on an indicator type, click Update Indicator Type . For example, to add or remove IP addresses, on IP, click Update IP.
To add a new indicator, enter the indicator details in a new line.
To remove an indicator, select and delete the indicator details from a line.
Click Update.
Incident Visualizer
Incident Visualizer is a graphical representation of the modules and indicators that are connected to an incident using Connect the Dots and Threat Intel. The Incident Visualizer helps you draw contextual information by visualizing the connections between an incident and the connected modules and indicators, thereby enabling security analysts to make faster and better decisions during the incident response process.
To access Incident Visualizer, on an incident, go to Mission Control > Incident Visualizer. You can use the following features to manage the incident visualizer:
Search: Search for a module or indicator and add it to the Incident Visualizer.
Add Connections: Browse all modules and indicators and click Add.
Group/Ungroup: Group the modules or indicators in the respective types or ungroup them.
Layouts: Select a layout type for the connections. Available layout types are:
Organic: Displays the nodes in groups.
Hierarchy: Displays the individual nodes as per their hierarchy in a tree structure.
Export: Export incident visualizer in PNG, JPEG, and SVG formats.
Fit to Screen: Fit all the connections to the screen.
Zoom: Zoom in or zoom out in the layout.
Full Screen: View the Incident Visualizer in full-screen mode.
Layout Overview: Drag the rectangle in the screen locator section on the bottom-left to view a specific section in the incident visualizer.
Node Analysis: View the summary and breakdown of the connections. Click Show/Hide to show or hide the nodes and groups.
Title/ID view: Switch between title and ID views of the connected modules and indicators.
Add a Connection
You can connect modules and indicators from the Incident Visualizer. To add a module or indicator, do the following:
Go to Menu > Incidents and open an incident.
On the left, go to Mission Control > Incident Visualizer.
On the search bar, click Add Connection.
To add modules, select Components and do the following:
Select a module type. For example, Actions.
Select the entries to connect. For example, select Block IP.
To add indicators, select Indicators and do the following:
Select an indicator type. For example, IP.
In the text area, enter the list of indicators in separate lines. For example, enter 1.1.1.1.
Click Add.
The Incident Visualizer displays the added modules and indicators. Any module or indicator that is added in the Incident Visualizer is also added to the Connect the Dots or Threat Intel.
Merged Incidents
What are Merged Incidents?
Some incidents may have the same details and require a similar response as an existing incident. You can merge such incidents as the child incidents to the existing incident (parent incident). After merging, the child incidents do not require individual responses and will automatically close when the parent incident is closed.
Note
After incidents are merged, you cannot unmerge them.
Filter Merged Incidents by Resolution Status
Notice
This feature is available in Respond (CFTR) v3.3.4 onwards.
You can filter the incidents based on the resolution status. This facilitates the tracking of merged incidents that are automatically closed when the parent incident is closed. For example, if you want the list of incidents that were merged and closed, use the filter Resolution Status and select Merged and Closed. Additionally, the table view and export file of incidents include a new column that displays the resolution status.
Before you Start
Before you merge incidents, ensure that:
The incident response of child incidents is the same as that of the parent incident. If you need clarification on the required incident response, then Cyware recommends you link the child incident with the parent incident as a Related Incident using Connect the Dots. You can merge them later when you are sure that the incident response is the same.
You have Create/Update permission for Merge Incidents.
Steps
To merge incidents, follow these steps:
Go to Menu > Incidents and open the parent incident.
Go to Mission Control > Merged Incidents.
Click Merge More. By default, the current incident is selected as the Parent Incident and cannot be modified.
Under Child Incident, search and select the incidents to be merged from the following sections:
Suggested Incident: Displays similar incidents suggested by CFTR using the Machine Learning algorithm.
All Incidents: Displays all incidents that are available on CFTR.
Click Proceed.
Review the selected child incidents and do one of the following:
Note
You cannot merge the disabled incidents since you do not have permission to modify the incidents. Disabled incidents are incidents for which you don't have write/update permissions.
Click Merge to merge the incidents without a template.
Note
If you merge incidents without a template, then data from the child incidents will not be added to the parent incident.
Click Merge with Template to select a template, and then click Merge to merge the incidents.
To provide consent to proceed with the merge, type Merge Incidents on the confirmation message and click Merge.
You can track the progress of the incidents merging in the Background Process in the top app bar. After the merging is completed, you will receive an email with the merging details. The status of the child incidents changes to Merged and they appear under Merged Incidents of the parent incident.
After the parent incident is closed,
Duplicate Incidents
An incident that includes the same details as another incident is called a duplicate incident. You can merge the duplicate incidents since they do not need separate responses.