The Add Comment to Entity Log Playbook Action has proven to be a very useful tool, but it would be helpful to be able to update or remove entries in the Entity Log in case errant information is accidentally added to the log.
There are instances where it would be very useful to be able to copy/paste a playbook step from one portion of a playbook to another portion of the same playbook with small changes made to the playbook step afterwards rather than re-creating the entire playbook step. For example (see attached pic), being able to copy the circled step to the new branch would save time.
I know that cases can be merged from search, but it would be useful if we could use the "three dots" in the Case View to merge cases.
This is more of a quality of life improvement, I would like to request the Advanced Text box be dynamically sizeable via a pully like given on the Alert / Case data to the right. I believe this improvement will make Long notes (height wise) / comments easier to read and edit.
For example I would like to be able to drag the text box up to give me more space to write my triage notes / comment. In most circumstances there is a large patch of empty space in-between the insights and the Playbook / Advanced Text input. I would like the option to pull the Advanced Text Editor to fill this space when writing long notes / comments.
It is sometimes difficult to read read and select certain parts large notes with the the scrolling function which is currently the only option available. The Case, Entities and Alert Data to the side have a dynamically movable to move it to half of the available case wall so it would be nice to also have the option with the Advanced Text bar.
As an analyst I want to see all the open multiple choice questions I have from all the playbooks assigned to the events in the case.
Currently the analyst has to go to every event and look in the assigned playbooks manually if there is an open question that is blocking the playbook.
There are some actions that only need to be done once for a case. For example we use a webhook to alert on new cases, but currently we get an alert for every event because we can't assign a playbook to a case. With this feature we could get an alert only once per case.
We also try to implement processes such as opening a case for the IT department. For a case we only need to open one ticket for them, not one for every alert.
This would make the analysts life easier because the system should automate as much of clerical work as possible.
Our Incident Response team suggested that Siemplify should have more entity types out of the box and that they should match the industry standard 'language'', i.e. STIX - https://oasis-open.github.io/cti-documentation/stix/intro.html . At least Threat Actor, Campaign and Attack Pattern should be considered.
Value added - easier tracking of organization's exposure (are we targeted?) and insight into SOC's ability to handle specific threats.
Big quality of life improvement here, can I please request that when a dialog/modal/page opens, if it has a "main" text input like to search it needs to auto focus so I don't start typing, expecting it to work!
Run manual action
This one is the biggest nuisance I've noted so far and is still an issue in 5.6 - You click the button to run a manual action, and the modal pops up with a list of your integrations and actions. The input search box flashes with a cursor for a brief moment, until the integrations list finishes loading and the focus is removed from that box. You type on the keyboard and... Nothing happens. Every. Time.
Comment "Advanced Editor"
(The "T" button at the bottom of the case comment bar.)
When I click the "T" icon to enter the advanced editor, the text input box should be focused automatically. Saves one extra click, but helps optimize your workflow that little bit more and is generally a better UX.