DFLabs is excited to announce the latest release of its award-winning and industry-leading Security Orchestration, Automation and Response (SOAR) platform, IncMan SOAR Version 4.4. We are constantly listening to customer and industry feedback, and IncMan v4.4 includes many new features which come directly from our users.
Security teams across the industry are plagued with false positive alerts and DFLabs is continually seeking innovative ways to improve the efficiency of the incident handling process. Traditionally, each alert generates an incident, which must be investigated by an analyst to determine the veracity of the alert. This process can lead to an overwhelming number of incidents, sometimes created because of false positive alerts.
Automated START Triage Capability – one of the most exciting features of IncMan v4.4
One of the most exciting features of IncMan v4.4 is the new automated Triage capability called START (Simple Triage And Rapid Treatment) Triage. IncMan’s START Triage allows alerts to be sent to IncMan via the API to be triaged before being converted to an incident. The Triage event queue, separate from the Incident queue, can be worked by Tier 1 analysts to determine which events warrant further investigation as an incident, and which events can be discarded as false positives. The Triage event function is able to harness the full automation and orchestration power of IncMan’s R3 Rapid Response Runbooks to enrich event information, allowing the analyst to quickly make a determination regarding the reliability of the alert and take quick, decisive action.
The flexibility and customizability of the new automated START Triage allow it to adapt to almost any use case. Some use cases include network alerts, endpoint alerts, transaction fraud alerts and threat intelligence alerts. START Triage is already being used by a major European bank to eliminate manual first line assessments of suspected fraudulent online transactions in one of the first applications of SOAR technology to financial fraud investigations.
DFLabs IncMan SOAR v 4.4 introduces a variety of new bidirectional integrations
IncMan v 4.4 includes many new bidirectional integrations from a variety of product categories including SIEM, network defense, endpoint protection and threat intelligence, chosen to broaden the orchestration and automation capabilities of our customers. These new bidirectional integrations include:
- ArcSight ESM
- ArcSight Logger
- Carbon Black Protection
- Check Point Firewall
- FireEye HX
- IBM X-Force Exchange
Flexible R3 Rapid Response Runbooks for any situation
IncMan v4.4 includes several enhancements designed to make our R3 Rapid Response Runbooks even more flexible. R3 Runbooks can now be used to call other R3 Runbooks. For example, a phishing R3 Runbook which detects a malicious attachment can now automatically call the appropriate malware R3 Runbook, eliminating the need to create processes within multiple runbooks. R3 Runbooks now also have the ability to update any attribute of an incident, such as priority, type, assigned analysts or any custom attributes, ensuring that the incident information is automatically updated as needed.
IncMan v4.4 features improvements to our automatic observables harvesting capabilities. Unstructured data added to free text areas of IncMan will automatically be searched for the presence of any observables, such as email addresses, IP addresses or domains. Any observables detected within this unstructured data will be automatically added to the appropriate observables section within IncMan, allowing users to perform any of the many enrichment, containment or custom actions on this data.
These are just some of the highlights of our latest IncMan release; IncMan SOAR Version 4.4 includes many other enhancements designed to streamline your orchestration, automation and response process.
See IncMan SOAR v4.4 in action
If you would like to see a demo of our latest release you can see it first hand at the upcoming Black Hat USA conference at our booth #IC2329 on August 8-9, schedule a time for a chat with one of our cybersecurity experts here, or alternatively you can request a live demo online.
Stay tuned to our website for additional updates, feature highlights and demos of our latest release.