The system can collect alert information from multiple sources, and conduct intelligent triage, investigation and response to these alerts to help the Security operations personnel identify the alerts that really need to be dealt with, decide the handling priority, and respond automatically.
If the quality of the alerts input to the system is low, or the received alerts needs to be processed specifically to extract alerts with higher accuracy and certainty, the advanced alert analysis, an optional function, can be used.
Case management helps security operations personnel conduct procedural, continuous, collaborative, and full-cycle investigation, analysis, response and handling for a set of related alerts in accordance with established course of actions, as well as continuous improvement of the course of action.
The war room provides security operations personnel with a set of coordinated response and handling tools that integrate applications, playbooks, and course of actions. In view of important cases, ChatOps can be used for real-time personnel deployment, intelligent man-machine dialogue, response and handling, so as to promote team communication and collaboration, get close to practice, and generate operations reports for review, summary and improvement.
The system has perfect playbook management function, including playbook library management, visual playbook editor and playbook operation monitoring.
Security operations personnel conduct unified management of all playbooks through the playbook library, and support the addition, deletion, modification, inspection, import and export of playbooks. The system has built-in basic playbooks, including the basic investigation playbooks and response playbooks.
The system has a built-in visual playbook editor, allowing playbook designers to create playbooks conveniently. To write a playbook, the elements that can be ed include application actions, APIs, human tasks, approvals, custom variables, scripts, sub-playbooks, and conditional branches, etc. The administrator can add those elements to the editor by dragging the mouse to form a graphical playbook diagram. For each element, the administrator can make detailed settings.
The system can monitor the situation of all the playbooks being executed, including the execution status, trigger type, start time, running time and other information of the playbooks, and can view the details of the execution of the playbooks.
The system is equipped with job and its scheduling management functions. Security operations personnel can set the job execution cycle plan, the playbook and the sequence of actions to be executed for the job as required. The system will automatically schedule the execution of the job and monitor the progress of the job in real time.
7 Application Management
Application management realizes the unified management of internal and external applications and their actions and examples. The application supports import and export, and multi-example configuration. The system has built-in basic applications, including mainstream host devices, security devices, collaborative software, and cloud applications (such as threat intelligence), as well as commonly used Syslog, REST and other applications.
1) Multimode security orchestrator driven by workflow engines that meet BPMN2.0 standards;
2) Visual security playbook editors;
3) Community-oriented collaboration and sharing of playbooks and applications.
Security Process Automation
1) Automated Alert Triage
2) Automated Security Incident Response
3) Automated Playbook Execution
4) Automated Application Execution
5) Automated Case Handling
6) Automated Service Invoking
1) Intelligent alert triage: including intelligent and standardized alert pre-processing as well as policy-based alert merging.
2) Intelligent alert investigation: security analysts support investigation and analysis that is interactive and on orchestration based on playbooks and application actions so as to support alert statistics, review and drill-down after conducting in-depth investigation to alert information.
3) Intelligent alert response: Once the alert is confirmed as a security incident, it will be automatically added to the relevant case, which can automatically trigger the response playbook or remind the analyst to respond manually.
1) Case-based entire lifecycle incident response and handling
2) Collaborative and orchestrated investigation and analysis as well as artifacts management
3) Record and replay of the whole-course of case handling
4) Real-time war room for team collaboration
1) Open and Extensible Application Integration Framework
2) API-based Bidirectional Integration Support for Multiple Protocol Interfaces
3) Extensible Orchestrator and Customized Playbook
4) Open External Interface