Release Notes 3.3
May 15, 2023
We are excited to introduce you to the latest version of Cyware Fusion and Threat Response (CFTR) v3.3.
Microsoft Teams Integration New
CFTR now seamlessly integrates with Microsoft Teams to share updates on incidents over a Microsoft Teams channel. Users can receive instant notifications about incident response updates, even if they do not have access to the CFTR application.
Note that, Orchestrate must be integrated with CFTR to enable Microsoft Teams notifications.
To learn more about the capabilities of the Microsoft Teams integration, see this blog.
For more information about how to integrate Microsoft Teams with CFTR, see Integrate Microsoft Teams.
Read-Only User Group New
CFTR v3.3 provides an out-of-the-box Read-Only user group that includes view-only access to specific features. Administrators can add read-only users over and above the assigned license quota to add users. Providing read-only access to users improves collaboration among the security teams and ensures that every team member has access to the same information.
Administrators can enable or disable the view permissions but cannot provide create or update permissions to the features. For example, read-only users can view incidents, knowledge-base articles, enhancements, and ATT&CK Navigator, but cannot modify them.
For more information, see Onboard Users.
Conditions in Rules New
Administrators can configure multiple conditions and actions for a rule. The specified actions execute only when all the configured conditions are met.
The following illustration shows an example of a rule that triggers when the incident status is updated from Open to Investigation. The rule enables Slack notifications and runs a Playbook to enrich the IOCs based on the condition that the severity of the incidents is Critical.
To learn more about the capabilities of conditions in rules, see this blog.
For more information, see Configure Automation Rules.
Conditional Logic in Fields Enhanced
Administrators can use the conditional logic of fields to control the values that are displayed while creating or updating modules. For example, to create incidents related to data theft as critical incidents, administrators can configure the conditional logic of the Severity field to display the Critical option only, when the business impact of an incident is Data Theft.
CFTR prevents unintended deletion of a field if the field is used as a controlling field.
Add Defanged Indicators to Incidents Enhanced
To prevent unintended opening of malicious Indicators of Compromise (IOCs) such as IP addresses, URLs, and domains, users can add defanged IOCs to incidents. For example, users can defang 1.1.1.1 and https://www.cyware.com IOCs and then add the following defanged IOCs:
1[.]1[.]1[.]1
hxxps[:]//www[.]cyware[.]com
Incidents Enhanced
Security analysts can now merge incidents without selecting a template. This helps security analysts to merge incidents without adding the child incident data to the parent incident.
In addition to the default columns in the table view of incidents, users can select up to three custom fields from the Field Library and add them as table columns.
In merged incidents, when the parent incident is closed, the child incidents are also closed automatically.
Widget Library Enhanced
To enable security analysts to monitor incident SLAs effectively, CFTR supports the following newly added out-of-the-box widgets as hero cards to use in custom dashboards and reports:
Assignment SLA About to Breach: Displays the number of incidents that are about to breach the assignment SLA.
Assignment SLA Breached: Displays the number of incidents that have breached the assignment SLA.
Resolution SLA About to Breach: Displays the number of incidents that are about to breach the resolution SLA.
Resolution SLA Breached: Displays the number of incidents that have breached the resolution SLA.
In addition to the custom widgets, all out-of-the-box widgets are also available in the widget library to use in custom dashboards and reports.
Field Library Enhanced
The field library in incident workflows is enhanced to provide administrators with the following capabilities:
Use the tick mark to identify the fields that are used in the current incident workflow.
View the associated incident workflows and phases of a field.
Delete fields from the field library.
Search fields using the field name.
To avoid duplication of fields in an incident workflow, the field library prevents the dragging and dropping of used fields into the incident workflow.
Filter MITRE Heatmap by Incident Created Time Enhanced
Users can filter the MITRE heatmap in ATT&CK Navigator based on the created time of incidents.
Other Enhancements
The process of defining the user groups that can close incidents based on the severity and type is now enhanced. Administrators can select a unique combination of the incident type and severity and then map them to the user groups.
To manage opened module tabs with ease, security analysts can right-click a tab to open a module in a new browser tab, close all other tabs, or close all tabs on the right. Security analysts can also right-click a module and open it in a new tab of the browser.
For better space utilization and visibility of fields in forms, administrators can maximize or minimize the width of the fields.
Administrators can edit the Tactic-Technique-SubTechnique field in incident workflows and configure it as an optional field. This helps security analysts to create incidents without adding the tactic, technique, or sub-technique.
OpenAPI Enhancements
Generate Open API Credentials without an Expiration Date
Administrators can generate Open API credentials without entering an expiration date. The secret key of such Open APIs never expires.
New API Endpoint: Connect the Dots
Security analysts can use the Connect the Dots Open API endpoint to connect modules with each other. Users can pass the module identifiers and a list of UUIDs of the modules in key-value pairs to connect them.
APIs Accept Both UUID and Value of Parameters
Previously, the CFTR Open API endpoints accepted the UUID of users, user groups, locations, business units, locations, sources, manufacturers, and labels to create or update the modules. The Open API endpoints are now enhanced to accept both the UUID and the parameter value.
For example, to update the impacted locations of incidents, you can pass the UUID (4882e471-e997-43ec-a317-e244d8286690, 4882e471-e997-43ec-a317-e244d8286123) or title (New York, Los Angeles) of the locations in the request body of the API.
{ "locations_impacted": [ "New York", "Los Angeles" ] }
Or
{ "locations_impacted": [ "4882e471-e997-43ec-a317-e244d8286690", "4882e471-e997-43ec-a317-e244d8286123" ] }
For more information, see CFTR API Reference.