Case View: Show open multiple choice questions from playbook

Case View: Show open multiple choice questions from playbook

MarcelMarcel Siemplify Gold Member

As an analyst I want to see all the open multiple choice questions I have from all the playbooks assigned to the events in the case.

Currently the analyst has to go to every event and look in the assigned playbooks manually if there is an open question that is blocking the playbook.

8
8 votes

Scheduled in Roadmap · Last Updated

Comments

  • Marek KreulMarek Kreul Siemplify Gold Member

    I'd add "manual action" instead of "multiple choice question", as all manual actions in all alert playbooks may currently wait for the analyst to respond.

    Corresponding question is: which of these should be worked on first?

  • MarcelMarcel Siemplify Gold Member

    @Marek Kreul thanks I meant all manual actions as well, I wasn't aware that they are called differently.

    Corresponding question is: which of these should be worked on first?

    I would just like to see all of them and they could be ordered by the order the playbooks invoking them. Currently the UI doesn't help the analyst much to solve a case as the case doesn't show the information an analyst needs to base her decision on or at least show him a workflow like view of what he needs to do. As a use case writer I want to show the analyst all the necessary information she needs to proceed with the case. For different use cases the whole case view may look differently.

    For example let us take a phishing reporting use case - I would want to show the e-mail the end-user received to the analyst, the urls, subject, from and to would be entities. The analyst should basically see "user reported phishing", that she needs to decide if it really phishing and if yes the playbook should run the appropriate actions (report to vendor, temporarily block at mailgateway, check if the url was already clicked on, ...). At first this could all be manual steps or just links to a wiki so all the analysts can do the same steps for a similar case.

    Now lets say there is an IDS/IPS alert - the analyst should be shown which alert was reported, what the rule was, etc. The UI would show other things that are relevant for that use case.

  • Marek KreulMarek Kreul Siemplify Gold Member

    I fully agree. My current understanding is that all of this should be solved by creating the specific insights that the analyst needs in order to make the decision, and guide her by the playbook to answer all relevant questions.

  • MarcelMarcel Siemplify Gold Member

    Yes, however the insights are very limited in what can be shown (for example a link opening in a new window wasn't possible when we tried it). Also insights aren't shown prominent in the UI.

    Also the analyst still has to manually discover all manual actions in all events. I expect less manual discovery work for an analyst when using an orchestration, automation and response platform.

Sign In or Register to comment.