Terminologies
Connect the Dots
Connect the Dots enables security analysts to connect the modules that are related to an incident to gain contextual intelligence about the threat landscape and respond to the incident effectively.
Threat Intel
Threat intel enables security analysts to maintain the threat data of various objects, such as IP addresses, URLs, domains, email addresses, files, credit cards, and more. You can connect the threat intel objects with incidents to gain contextual intelligence.
Incident Visualizer
Incident Visualizer displays a graphical representation of the modules and objects connected to an incident using Connect the Dots and Threat Intel features. It helps security analysts visualize the incident's relationship with the connected modules and threat objects.
Playbooks
Playbooks help security analysts orchestrate and automate incident responses using Orchestrate. Orchestrate provides the capability to leverage manual as well as fully-automated Playbooks to meet the process and procedure-specific demands of your organization.
Run Logs
Playbooks offer Run Logs that help you to analyze the execution details of a Playbook, especially the run details of each node that is defined in the Playbook workflow. This is especially helpful for debugging and troubleshooting purposes.
Playbook Mapping
The playbook mapping feature helps the administrators to map Orchestrate Playbooks with incidents and knowledge base articles, thereby enabling the security analysts to quickly access the relevant Playbooks and execute them during incident response.
Modules
Modules refer to the features that you can view under the menu, such as incidents, actions, threat briefings, and more.
Activity Log
Activity Log lists log entries of all user activities in a module. The log details include the username of the user who performed the activity, the module name, the module ID, and the added, updated, and deleted data including the previous and current values.
Admin Logs
Admin Logs lists log entries of all user activities across the application to enable the administrators to track user activities and debug issues.
Merged Incidents
Merged or child incidents refer to incidents that are merged with parent incidents. Merged incidents do not need a separate response and are automatically closed when the parent incident is closed.
Incident Workflow
Incident workflows define the life cycle that security teams should follow for threat response. They provide the needed flexibility for administrators to adopt multiple incident response flows for various types of incidents.
Field Library
The field library includes various types of out-of-the-box fields, such as integers, text, single-select, multi-select, and more, that administrators can use to configure the phases of an incident workflow. For the reusability of fields, administrators can also add custom fields to the field library.
Widget Library
The widget library includes various out-of-the-box widgets that users can use in custom dashboards and reports. For the reusability of widgets, users can also add custom widgets to the widget library.
Action Library
The action library includes various action templates that administrators can use to link actions with the phases of incident workflows. When an incident is created, CFTR automatically creates actions using the linked action templates.
Bot User
A bot user is used to define the permissions of an open API. An open API has the same permissions as the user group of the associated bot user. For example, if a bot user has View permission for incidents, then the associated open API can retrieve incident data, but cannot modify incidents.
Risk Score
Refers to the risk level of devices and users. The risk score is calculated based on the type, severity, and the number of components that are connected to the device or user.