Cyber Flakes of Snow
As cyberattacks have increased in complexity and variety, security teams are scrambling to find a balance between standardization and customization. On one hand, there are replicable, quantity-heavy attacks that flood organizational defenses like an army of digital stormtroopers. Automating responses to these attacks can greatly reduce time load and the possibility of analyst errors. On the other hand, the sheer diversity of attacks out there today prevents one-size-fits-all automation from being the sole answer.
In today’s world, each security incident is an inimitable snowflake, uniquely shaped by its creators and requiring a customized response that can both solve individual cases and scale for greater attack volumes.
Your Security Blacksmith
Demisto v3.0’s incident customization capabilities allow analysts to modify all aspects of their incident view. Everything from incident types and custom fields to the incident details layout and edit windows are modular and adaptable. There are three broad functionalities at play:
- Incident types: Analysts can edit existing incident types to prioritize fields and data more relevant to their organizations. They can also create new incident types to deal with unique attacks.
- Incident fields: Analysts can edit existing incident fields to cater to their specific needs. They can also create entirely new incident fields to associate with incidents of their choice.
- Incident layout windows: Analysts can tweak the name, nature, and order of information that appears on windows such as the incident details screen, the new/edit form layout, and the close form layout.
With attacks coming at unpredictable times and from unpredictable places, Demisto’s incident customization feature is analysts’ bespoke blacksmith, perfectly crafting that tailored chainmail armor that can help them withstand any siege.
Let’s look at Demisto’s customization options in detail.
Analysts can view the existing incident types on the ‘Incident Types’ tab in the Advanced Settings menu. As the screenshot below shows, this tab lists the currently available incident types along with their associated playbooks, SLA requirements, and pre-processing comments.
Analysts can edit any of these incidents by clicking the ‘Edit’ button to the right of each incident. Every field of an incident is customizable: analysts can change the incident name, associated playbooks, SLA stats, SLA reminders, and can also set the playbooks to run automatically if they wish. The snapshot below illustrates this feature:
Analysts can also add a new incident type by clicking the ‘New Incident Type’ button on the top right of the screen. Incident building is truly allowed from scratch, including the incident name, SLAs, playbook associations, pre-processing scripts, and reminders.
The snapshot below illustrates this feature:
Each incident type has multiple fields it is associated with, fields that together convey all relevant information about the incidents that analysts need for further investigation. Demisto allows analysts to edit any of these available fields create new fields to better mold Demisto’s platform to organizational practices.
Analysts can add a new field by clicking the ‘New Field’ button on the top right of the window. They can select field types from any of the multiple available types, assign a unique field name, plug in allowed values, and select incidents to associate this field with. The snapshot below illustrates this feature:
Analysts see an incident’s details in various layouts through its lifecycle. There’s the ‘Add/Edit’ incident screen when a new incident needs to be added, the ‘Incident Details’ screen which acts as mission control for any incident, and the ‘Close’ screen which marks the incident’s closure. Through Demisto’s Layout Builder, all these screens are now fully customizable.
Let’s take the example of a phishing incident. If analysts want to change the layout for the phishing incident to better suit their needs, they can select the phishing incident type from the layout builder as shown in the snapshot below…
…to bring up the layout builder for the phishing incident. The screenshot below shows the range of modularity possible with the layout builder. Analysts can select from the fields already associated with the phishing incident or add a new field if required. They can view the current layout on the right side of the screen, add new fields to any current section, add new sections, and change the ordering of sections.
For example, if analysts want to add a Quality Assurance section to the phishing incident, they can do so by clicking the ‘Add Section’ button in the Add Field toolbar as shown in the snapshot below:
Once the Quality Assurance section is created, analysts can populate this section with any relevant fields…
…and when they view the Incident Details screen for the phishing incident in the future, the Quality Assurance section with its populated fields will now be visible and available for further use.
To summarize, Demisto’s incident management customization capabilities give analysts more freedom to craft their own incidents and fields, edit existing incidents and fields, and build custom incident layouts to get an incident’s summary and information in the way they desire.
We hope this feature walkthrough was helpful to you. If you’re interested to know more, we invite you to view the video walkthrough on our YouTube channel. If you are a Demisto customer, you can also visit the release notes on the Demisto Support portal.
If you are new to Demisto and interested in exploring the platform further, we invite you to sign-up for the Demisto Community Edition. All Demisto v3.0 features are available with full functionality in the Community Edition.