Unified experience framework for integrations powered by Capability Framework

  • Release version: Washingtondc
  • Updated August 1, 2024
  • 2 minutes to read
    • Summarize
    Summarized using AI
    This content was generated using new OpenAI-powered functionality. Results are provided on an as is basis and are not guaranteed to be accurate or complete.

    Summary of Unified Experience Framework for Integrations Powered by Capability Framework

    The Unified Experience Framework enhances the Security Incident Response (SIR) Workspace by providing a cohesive interface for orchestration activities. Unlike the classic UI, which offers a fragmented experience, the new workspace integrates multiple capabilities into a single, streamlined process, applicable to integrations within the capability framework.

    Show full answer Show less

    Key Features

    • Unified Experience: Users can perform orchestration activities, such as threat lookups, from a consistent interface.
    • Modal Screens: The process consists of three steps, allowing users to select implementations, add common inputs, and input specific runtime details.
    • Implementation Selection: Analysts can choose from available implementations and view related details, such as integration sources and additional context information.
    • Common and Runtime Inputs: Common inputs can be added for multiple implementations, while specific runtime inputs can be tailored for each selected implementation.

    Key Outcomes

    By utilizing the Unified Experience Framework, SIR Workspace users can expect a more efficient workflow when managing security incidents. The framework ensures that only supported records are submitted, minimizing errors and enhancing operational efficiency. This streamlined approach not only improves user experience but also empowers analysts with the information needed to make informed decisions during incident response activities.

    In the classic UI, the experience is disjointed when performing orchestration activities such as running threat look, performing sighting search, and so on. Each capability has its own experience while executing it. In the new workspace, there is unified experience across all capabilities.

    The unified experience is applicable only for those integrations and orchestration activities that fall within the capability framework. There can be actions specific to integration, for example, Create Indicators in Microsoft Defender. These actions will have its own experience as required by the use-case.

    The new framework consists of modal screens with three steps as explained below.

    1. Implementations: The first step involves selecting one or more implementations that are present against the selected capability.

      For example, when the Analyst clicks Run Threat Look Up, the Analyst will be able to select one or more implementations that are present for Run Threat Look Up capability.

      Each implementation will have the details of the Integration Source. Refer to the table below. Additional information is also presented against each implementation.

      Additional Information can include for example information on any filters, types of observables supported, etc. The Additional Information can be configured as desired. For more information, to UX framework technical configuration procedure.

      Table 1. Unified Implementation Framework Modal
      Implementation Description
      Name Name of the implementation.
      Integration Source The source of the implementation such as the configuration that is being used.
      Additional Information This column captures the static information which adds more context to the security analyst against the selected implementation(s) to proceed with an action. For example, supportability or filtered information. Also, if an implementation supports only a certain type of observables such as Domain or URL, then you can add that additional information here in this column to provide the context to the user.
      Note:
      The UI framework would basically allow the selection of any type of implementation and any type of observables. During the submission, the existing base system integrations that are shipped will take care of the filtering in the backend and submit only the supported type of observables. The rest of the records that don't match the supportability will be ignored. Hence, a UI information message is displayed while you select the capability: Only supported records will be submitted against the selected implementation(s).
      Figure 1. Screen 1: Implementation(s)
      Run Threat Lookup view: Available Implementations.
    2. Common inputs: Add common inputs for the selected implementations or for all the selected applicable implementations. This is the screen 2 of your implementation. For example, as of now only Sightings Search has the common inputs screen. This implementation is a combination of screen 1 (Implementations) and screen 2 (common inputs).
      Figure 2. Screen 1 + Screen 2
      Run Sighting Search view: Common inputs.
    3. Run time details: Add specific run time inputs for the selected implementations which are different from each other implementation. This is the screen 3 of your implementation. This implementation is a combination of screen 1 (Implementations) and screen 3 (specific run time inputs).
      Figure 3. Specific inputs
      Run Additional Actions view: Run time details.
    Note:
    Not all three steps are always required. Depending on the capability and the type of inputs required, the runtime details step and common inputs step will be visible.