Unified experience capabilities and modal screens

  • Release version: Yokohama
  • Updated January 30, 2025
  • 5 minutes to read
    • Summarize
    Summarized using AI
    This content was generated using new OpenAI-powered functionality. Results are provided on an as is basis and are not guaranteed to be accurate or complete.

    Summary of Unified Experience Capabilities and Modal Screens

    The Unified Experience capabilities and modal screens provide Security Analysts with streamlined interfaces to execute various security actions. Each capability is associated with specific screens that guide users through selecting implementations and providing necessary inputs for their tasks. This structure facilitates efficient incident response and threat management.

    Show full answer Show less

    Key Features

    • Run Threat Look Up: Utilizes Screen 1 for selecting implementations without additional inputs.
    • Run Observable Enrichment: Similar to Run Threat Look Up, only Screen 1 is applicable for implementation selection.
    • Sighting Search: Involves Screens 1 and 2, capturing date and time frequencies as common inputs for multiple integrations.
    • Submit to Sandbox: Requires Screens 1 and 3, with implementation-specific inputs varying based on the selected tool.
    • Publish to Watchlist: Only Screen 1 for implementation selection without extra inputs.
    • Allow/Block Request: Primarily uses Screen 1 for selecting implementations.
    • Get File: Involves Screens 1 and 2, requiring common inputs like file name and path.
    • Get Host Details and Get Network Statistics: Both use Screen 1 for selection with no additional inputs.
    • Additional Actions: Involves Screens 1 and 3, with varying inputs depending on selected implementations.

    Key Outcomes

    By leveraging these capabilities, Security Analysts can efficiently select from various security tools and actions without unnecessary complexity. The structured approach ensures that the right inputs are gathered for each action, leading to more effective incident resolution and threat management. Future updates will enhance this functionality, including the ability for multi-selection of implementations.

    The following table below describes the capabilities and applicable screens.

    Table 1. Capabilities and applicable screens table
    Capability UX frameworks screens applicable Integrations supported
    Run Threat Look Up Only Screen 1 – Select Implementations is applicable.

    There are no common inputs or implementation specific inputs applicable for Run Threat Look Up.

    So, only screen 1 is presented to the Security Analyst to select one or more implementations. After selecting the implementations, the Security Analyst will be able to submit the action.
    • Virus Total
    • Hybrid Analysis
    • Security Incident Response Integration with Zscaler
    • Phistank
    • Metadefender
    • Threatcrowd
    • Have I Been Pawned?
    • Crowd Strike Falcon Intelligence
    Run Observable Enrichment Only Screen 1 – Select Implementations is applicable

    There are no common inputs or implementation specific inputs applicable for Run Observable Enrichment.

    So, only screen 1 is presented to the Security Analyst to select one or more implementations. After selecting the implementations, the Security Analyst will be able to submit the action.
    • MISP
    • Microsoft Defender Endpoint
    • Shodan
    • RiskIQ
    • WHOIS
    • Reverse WHOIS
    Run Sighting Search/Run Web Sighting Search/Run Email Sighting Search Screen 1 – Select Implementations and Screen 2 – Common Inputs are applicable.

    Sighting search takes date and time frequency as common inputs across multiple implementations of Splunk and other integrations.

    This screen will be presented to the Security Analyst to capture date and time frequencies.

    For integrations that don’t require these inputs, for example FireEye HX, they will be ignored. After selecting one or more implementations and providing common inputs, the Security Analyst will be able to submit the action.
    • Splunk-incident Enrichment
    • Carbon Black
    • Elastic search
    • FireEye HX
    • McaFee ESM
    • MSFT Defender for endpoint
    • Splunk Sighting
    • Qradar sighting search
    • MISP
    Submit to Sandbox Screen 1 – Select Implementations and Screen 3 – Implementation specific inputs are applicable.

    Submit to Sandbox takes different inputs for different implementations. There are no common inputs for this capability currently.

    For example, when the Analyst selects Crowdstrike Falcon X Quick Scan, Crowdstrike Falcon X Windows 64, Crowdstrike Falcon X Linux, and Zscaler, the inputs vary. Crowdstrike Falcon X Quick scan and Zscaler don’t need further run time inputs. Crowdstrike Falcon X Windows 64 takes optional run time inputs that differs from Crowdstrike Falcon X Linux. So, these can be provided in screen 3 specifically against individual selected implementations as applicable.
    • CrowdStrike Falcon X Sandbox Integration
    • Security Incident Response Integration with Zscaler
    Publish to Watchlist Only Screen 1 – Select Implementations is applicable.

    There are no common inputs or implementation specific inputs applicable for Publish to Watchlist.

    So, only screen 1 is presented to the Security Analyst to select one or more implementations. After selecting the implementations, the Security Analyst will be able to submit the action.

    		 Crowdstrike Falcon Host
    Allow/Block Request Only Screen 1 – Select Implementations is applicable.

    There are no common inputs or implementation specific inputs applicable for Allow/Block Request.

    So, only screen 1 is presented to the Security Analyst to select one or more implementations. After selecting the implementations, the Security Analyst will be able to submit the action.
    • Palo Alto Network NGFW
    • Check Point NGFW
    • Security Incident Response Integration with Zscaler
    Get Host Details Only Screen 1 – Select Implementations is applicable.

    There are no common inputs or implementation specific inputs applicable for Get Host Details.

    So, only screen 1 is presented to the Security Analyst to select one or more implementations. After selecting the implementations, the Security Analyst will be able to submit the action.
    • FireEye HX
    • Microsoft Defender for Endpoint
    Get File Screen 1 – Select Implementations and Screen 2 – Common Inputs are applicable.

    Get File takes file name, path as common inputs. After selecting one or more implementations and providing common inputs, the Security Analyst will be able to submit the action.

    		 FireEye HX
    Get Network Statistics Only Screen 1 – Select Implementations is applicable.

    There are no common inputs or implementation specific inputs applicable for Get Network Statistics. So, only screen 1 is presented to the Security Analyst to select one or more implementations. After selecting the implementations, the Security Analyst will be able to submit the action.
    • FireEye HX
    • NetStat
    Get Running Processes Only Screen 1 – Select Implementations is applicable.

    There are no common inputs or implementation specific inputs applicable for Get Running Processes.

    So, only screen 1 is presented to the Security Analyst to select one or more implementations. After selecting the implementations, the Security Analyst will be able to submit the action.
    • FireEye HX
    • Carbon Black
    • System Command
    Get Running Services Only Screen 1 – Select Implementations is applicable.

    There are no common inputs or implementation specific inputs applicable for Get Running Services.

    So, only screen 1 is presented to the Analyst to select one or more implementations. After selecting the implementations, the Analyst will be able to submit the action.

    		 FireEye HX
    Isolate Host / Un-Isolate Host Screen 1 – Select Implementations and Screen 3 – Implementation specific inputs are applicable.

    Isolate Host/Un-isolate Host takes different inputs for different implementations.

    There are no common inputs for this capability currently. For example, when the Analyst selects FireEye HX and Microsoft Defender for Endpoint, the inputs vary.

    FireEye HX doesn’t need run time inputs. On the other hand Microsoft Defender takes inputs such as Isolation Type and Comments.

    So, these can be provided in screen 3 specifically against individual selected implementations as applicable.
    • FireEye HX
    • Microsoft Defender Endpoint
    • Carbon Black
    Run Additional Actions Screen 1 – Select Implementations and Screen 3 – Implementation specific inputs are applicable.

    Run Additional Actions Host takes different inputs for different implementations. There are no common inputs for this capability currently.

    For example, when the Analyst selects FireEye HX Standard Investigative Details Script, FireEye HX Triage Acquisition and Crowdstrike Falcon Insight reg unload, the inputs vary.

    FireEye HX Standard Investigative Details Script and FireEye HX Triage Acquisition take Comments as the input that could be different for both. Crowdstrike Falcon Insight reg unload takes Subkey as the input.

    So, these can be provided in screen 3 specifically against individual selected implementations as applicable.
    Note:
    Currently supports only single selection of implementation. In future releases multi selection of implementation will be supported.
    • FireEye HX
    • Microsoft Defender for Endpoint
    • Crowdstrike Falcon Insight