Best Of

The Add Comment to Entity Log Playbook Action has proven to be a very useful tool, but it would be helpful to be able to update or remove entries in the Entity Log in case errant information is accidentally added to the log.

There are instances where it would be very useful to be able to copy/paste a playbook step from one portion of a playbook to another portion of the same playbook with small changes made to the playbook step afterwards rather than re-creating the entire playbook step. For example (see attached pic), being able to copy the circled step to the new branch would save time.

Good idea, there's definitely a place for playbooks and playbook logic at the "case" level.

Our current workaround is to use the "Find first alert" action at the start of a playbook to check whether the alert is the first in the case, and along with some other logic only execute certain actions like send an email for that one alert per case.

Has worked well so far, you could use the same approach to only call your webhook once per case, instead of once for every alert.

We've faced the same question again and again, and although with the "find first alert" there's some solution for the issue, it's definitely far from optimal.

We found that in theory, you should not work individual alerts, but the main "story" takes place in the case, influenced by the alerts.

Take for example a malware infection:

There may be an alert from the antivirus, telling that some malicious file has been detected, but could not be removed / quarantined.

This creates a case, and the analyst now wonders "has this had any negative impact?"

Then, the second alert is grouped to the same case, because network monitoring has picked up a suspicious outgoing network connection.

This gives the whole case a spin in a certain direction, which would be completely different than if the suspicious network connection would have been the first alert in a case.

In our current view, there should be "case-focussed playbooks" creating the underlying base flow (i.e. putting a case from investigation to remediation stage), and each alert could have an own, alert-focussed playbook to do the enrichment and other alert-focussed activity.

Whenever an alert analysis comes to a certain conclusion, or the combined analysis of multiple alerts leads to something, an additional playbook is added to the case. In the above example, the analysts conclusion is "there was a successful malware infection", identified by the two alerts, and would add the "restage a machine" playbook to the CASE.

However, this seems to need quite a rework of how Siemplify handles cases, alerts and playbooks, and is more than just "case-level playbooks should be possible".

I know that cases can be merged from search, but it would be useful if we could use the "three dots" in the Case View to merge cases.

This is more of a quality of life improvement, I would like to request the Advanced Text box be dynamically sizeable via a pully like given on the Alert / Case data to the right. I believe this improvement will make Long notes (height wise) / comments easier to read and edit.

For example I would like to be able to drag the text box up to give me more space to write my triage notes / comment. In most circumstances there is a large patch of empty space in-between the insights and the Playbook / Advanced Text input. I would like the option to pull the Advanced Text Editor to fill this space when writing long notes / comments.

It is sometimes difficult to read read and select certain parts large notes with the the scrolling function which is currently the only option available. The Case, Entities and Alert Data to the side have a dynamically movable to move it to half of the available case wall so it would be nice to also have the option with the Advanced Text bar.

As an analyst I want to see all the open multiple choice questions I have from all the playbooks assigned to the events in the case.

Currently the analyst has to go to every event and look in the assigned playbooks manually if there is an open question that is blocking the playbook.

There are some actions that only need to be done once for a case. For example we use a webhook to alert on new cases, but currently we get an alert for every event because we can't assign a playbook to a case. With this feature we could get an alert only once per case.

We also try to implement processes such as opening a case for the IT department. For a case we only need to open one ticket for them, not one for every alert.

This would make the analysts life easier because the system should automate as much of clerical work as possible.

Our Incident Response team suggested that Siemplify should have more entity types out of the box and that they should match the industry standard 'language'', i.e. STIX - https://oasis-open.github.io/cti-documentation/stix/intro.html . At least Threat Actor, Campaign and Attack Pattern should be considered.

Value added - easier tracking of organization's exposure (are we targeted?) and insight into SOC's ability to handle specific threats.

Big quality of life improvement here, can I please request that when a dialog/modal/page opens, if it has a "main" text input like to search it needs to auto focus so I don't start typing, expecting it to work!

Two examples:

Run manual action

This one is the biggest nuisance I've noted so far and is still an issue in 5.6 - You click the button to run a manual action, and the modal pops up with a list of your integrations and actions. The input search box flashes with a cursor for a brief moment, until the integrations list finishes loading and the focus is removed from that box. You type on the keyboard and... Nothing happens. Every. Time.

Comment "Advanced Editor"

(The "T" button at the bottom of the case comment bar.)

When I click the "T" icon to enter the advanced editor, the text input box should be focused automatically. Saves one extra click, but helps optimize your workflow that little bit more and is generally a better UX.