Siemplify receives alerts (indications of security events of interest) from SIEM servers, whose sources include the network devices, workstations, servers etc. Siemplify orchestrates the alerts, that is, it aggregates related alerts into cases, which it assigns to analysts after automatically completing the playbook associated with the alert type. Siemplify uses the Alert Grouping mechanism to intelligently group alerts into cases, by mutual entities and time proximity, and help the analyst to perform contextual analysis of multiple alerts in one case.
A playbook is a predefined set of actions, associated with a specific alert type, which gathers information about the alert from internal and external sources, requests information from users associated with the alert and takes decisions on how to proceed next. These actions are performed automatically by Siemplify for each alert in a case before the case is assigned to an analyst. Analysts can perform additional actions, for example, running a specialized file integrity check, before taking the decision to close or escalate the case.
In this way, the analyst saves considerable time and effort because he or she begins reviewing the case only after much of the additional information needed to properly investigate it has already been automatically gathered by Siemplify, without manual intervention.
The following screenshot shows a simplified example of part of a playbook, moving from left to right. Each of the squares represents an action performed by Siemplify, for example, sending an SMS message, determining whether there are similar cases, sending notifications, contacting external servers (to check for viruses, suspicious IP addresses, etc.), enforcing password updates, taking a decision based on results of a previous action, closing a case and more.
Out of the box, Siemplify includes predefined playbooks for the most common scenarios, and you can define additional playbooks for your specific requirements.
When the analyst first sees the case, much of the information needed to properly investigate the case and determine how to resolve it has already been gathered from both external and internal sources, enabling the analyst to respond to the threat more quickly and more accurately.
The Siemplify platform also supports multi-environments (where an environment can correspond to a separate client or a regional division of a corporate company). This enables MSSPs to handle many clients effortlessly.
Need more help with this?
Click here to open a Support ticket