Siemplify ingests alerts from a variety of sources. Each alert is ingested with its underlying base security events. Those security events are analyzed and their indicators (sources, destinations, artifacts etc.) are extracted into objects. Those objects are called Entities. Each entity stored in Siemplify starts collecting data on it (comments, enrichment data, reports etc.) so analysts can review this history when handling future cases the entity appears in. The same entities are also placed on the canvas for the visual representation of the threat.
The Cases tab provides the analysts a way to investigate the incoming security alerts and safeguard workstations. A list of cases that are ingested into the system from the various connectors appear in the left pane of the system. This is also referred to as the Case queue.
The left pane displays a queue of cases with their basic details such as case name, case timestamp, case ID number (unique to a case), number of alerts associated with the case, a thumbnail picture of the analyst handling the case and so on. Cases are generated by alerts from the SIEM platform. Further alerts linked to the same entities may be grouped to an existing case based on a flexible configuration. Refer to Settings > Advanced > Alerts Grouping
The middle pane when on the Overview tab, displays the list of Alerts, Insights (important highlighted information from the Playbook or after executing a manual action) and Playbooks connected to each alert.
Playbooks are a defined set of actions that gather information about the alerts from internal and external sources and take appropriate decisions on how to proceed with them or conduct an operation on a remote system (i.e. blocking firewall port, disabling active directory user, etc). Siemplify performs these actions automatically or semi automatically based on the playbook triggers upon any alert ingestion.
The right Context Details pane for the Overview tab displays information based on the item you select in the system. For example, if you select a Playbook trigger, the Context Details pane displays the trigger type and its parameters. You can also generate a report in either CSV or PDF format by clicking on the Generate Report icon on the top right of the screen.
You can refresh the case queue items regularly, sort them as required, use filters to narrow your case queue items, add cases to the existing queue and close cases.
Need more help with this?
Click here to open a Support ticket