Drive Automated Threat Response Strategy with Cyware's New Rule Engine
Use Case • Jun 30, 2022
We use cookies to improve your experience. Do you accept?
Use Case • Jun 30, 2022
Incident response teams spend a significant amount of their time performing routine tasks that delays threat response. In CFTR v3.0 release, Cyware has introduced a new Rule Engine (beta release) capability that allows incident response teams to trigger automated workflows or tasks based on pre-defined conditions or rules. This enables them to respond more quickly to threats or orchestrate changes without manual intervention.
Ability to Define Automation Rules: The Rule Engine allows a user to define a rule which can trigger a set of actions based on some pre-defined conditions. For example, with Rule Engine, a user can run a set of playbooks when conditions of Phase Change or Status Change are met.
Phase Change: Whenever an incident progresses from one phase of the incident response lifecycle to another, such as Detection to Analysis to Containment or Containment to Eradication, there are certain policy complaint actions that the incident response teams need to perform. Rule Engine helps to automate such necessary actions by triggering playbooks.
Status change: The status of the incident may change from/to open, merged, untriaged or closed as it travels through the incident life cycle. The Rule Engine allows users to define rules that trigger playbooks everytime any change in status happens. For instance, an incident response team wants to close alerts. In such a case, when the status of an incident changes, the team can automatically run a playbook in CFTR to close the alerts coming from the SIEM tool.
Ability to Create Triggers: In this beta release of the Rule Engine, CFTR users can quickly and accurately create triggers as state changes and also configure rules for the same.
Ability to Take Actions: Many actions can be defined using the Rule Engine. Whenever the status or phase of an incident changes, an incident response team can automatically run a playbook in CFTR.
Ability to Configure Playbooks: CFTR users can create multiple rules for the triggers and configure a Playbook for each rule.
Automation of Manual Efforts: Now incident response teams need not manually take actions. When an incident Status or Phase Change occurs, Rule Engine helps them to automate a fixed set of actions they need to take. The CFTR Rule Engine quickly automates and streamlines these time-consuming tasks and reduces manual errors, thereby saving incident responders’ time and boosting their efficiency.
Reduced Complexity: Rules are easier to understand so they effectively bridge the gap between security and IT teams. Furthermore, the CFTR Rule Engine can handle increasing complexity as it automates playbook execution.
With the new CFTR Rule Engine, incident response teams can quickly perform repetitive and mundane tasks of taking actions when an incident occurs. This provides them with the capability to automate threat response and pushes them toward incident response lifecycle maturity.
Keen to find out more about Rule Engine, schedule a free demo today!