Cyware Fusion and Threat Response

To streamline and accelerate incident response, Automation Management enables administrators to associate Orchestrate playbooks and app actions with incident workflows. When an incident is created, CFTR promptly displays the associated automations, allowing users to easily access and trigger them.

For example, to block a malicious IP address, administrators can create an automation using the Block IOC playbook and associate it with an incident workflow. While responding to an incident, if the IP address associated with the incident is identified as malicious, users can trigger the automation to block the IP address directly from the incident summary.

For more information, see Configure Automation and Run Automation.

Users are now notified via email about Orchestrate Playbooks that require data for the input nodes for execution. Users can access the Playbooks from the email notification and pass input data directly from CFTR, eliminating the need to sign in to Orchestrate.

In addition to the existing triggers such as incident status and workflow changes, administrators can now trigger rules based on updates made to the fields of an incident.

For example, you can configure a rule to pause incidents when the severity field is updated from High to Low.

For more information, see Configure Automation Rules.

The incident merge templates are now enhanced to facilitate the seamless merging of parent incident data into child incidents. For example, administrators can configure an incident merge template that automatically includes closure comments from the parent incident into all associated child incidents when the parent incident is closed.

For more information, see Configure Templates for Incidents.

When a new IOC is associated with an incident and is not found in CTIX, CFTR automatically adds the IOC directly in CTIX. This eliminates any redundant effort in manually adding missing IOCs to CTIX.

CFTR performs a comprehensive scan of all text fields when an incident is created and extracts any mentioned IOCs. It automatically links the IOCs to the incident and enriches them using CTIX, providing users with valuable threat intelligence and expediting threat analysis.