By Abhishek Iyer, Senior Product Marketing Manager, Demisto
We are excited to announce new enhancements to our comprehensive security orchestration, automation and response (SOAR) platform, Demisto. This new release redefines the limits of SOAR customizability, enabling security analysts to visualize incident and indicator flows in a completely tailored manner, making it easier than ever to manage and automate incident response.
Demisto v5.0 is packed with new features suggested to us by our community of customers, partners and independent users. It includes a reimagined user interface that can be completely customized to fit different incident types and security personas. This UI also feeds into threat intelligence enhancements that enable users to visualize rich indicator intelligence from integrated sources and act on them in a scalable manner. We’ve also introduced changes that facilitate improved load management and scaling of resources, ensuring that organizations are secure irrespective of the pace at which they grow. Demisto v5.0 is available today for both enterprise customers and community users.
When Demisto first saw the light of day in 2015, we recognized that security teams wilt under dual pressures every day: an ever-increasing volume of security alerts and insufficient resources to address these alerts. Over the past four years, our customers have seen us as the only platform that has combined security orchestration, incident management and real-time collaboration to make their lives easier. Automating as much as possible hands time back to security teams to investigate, learn and improve, and sometimes just take a deep breath. Since joining forces with Palo Alto Networks, we have accelerated our go-to-market and made inroads into use cases outside of traditional security operations.
As we continue to scale mountains, however, we are eternally grateful for the oxygen tank that is our community of users and customers. They’re the reason we exist, and we’re thrilled to act on their feedback to continue improving Demisto on all fronts.
Sunglasses at the ready? Here is a brief peek at the blinding light of Demisto v5.0.
Reimagined User Interface
With data and context being so critical to security operations, it’s imperative to have a UI that structures said data and context in an intuitive, persona-friendly manner. Demisto v5.0 introduces a brand-new UI that streamlines global navigation while also enhancing the delivery of information within each incident.
Demisto incidents now have out of the box (OOTB) tabs that provide best practices for information categorization; users can also supplement these tabs by creating entire incident layouts and flows from scratch. Admins can employ access control for these incident views, enabling only those in relevant roles to see sensitive information within an incident.
We’re confident that our UI leads the SOAR space in empowering users to structure information for each use case exactly how they want it.
Demisto v5.0 comes with a completely redesigned incident summary page. This new page, called ‘Case Info,’ enables you to quickly digest critical information about the incident with little to no scrolling. All new and existing incident types will include this redesigned summary page. You can still use the legacy summary views if you’d like – the value of comfort and familiarity can’t be overstated.
Here’s a before-after view to whet your appetite.
Figure 1: Old Demisto incident summary
Figure 2: New Demisto ‘Case Info’
Custom Incident Tabs and Page Layouts
While the ‘Case Info’ tab is one of the default options available for Demisto incidents, you can add tabs for any other information you’d like highlighted for a specific incident type. For each new tab added, you can also build the page layout from scratch, leveraging both out of the box and user-created widgets.
In the GIF below, we create a new ‘Campaign Info’ tab for the ‘Access’ incident type, populating the page with sections such as ‘Linked Incidents,’ ‘Child Incidents’ and ‘Dropped or Duplicate Incidents.’
Figure 3: Creating a new tab and page layout for a Demisto incident
All incident tabs come with full role-based access control, allowing administrators to grant incident sub-view privileges to relevant roles depending on the sensitivity of the data.
Other UI highlights include:
- Streamlined global navigation: The main navigation panel is collapsed by default in Demisto v5.0, enabling you to maximize screen real estate and improve visibility without sacrificing the ability to navigate easily across your Demisto environment.
- Fully customizable ‘Investigation’ page: People in the SOC trenches know that a phishing incident needs different information – in a different layout – from a malware incident. Each incident in Demisto v5.0 comes with a fully customizable ‘Investigation’ page, enabling you to select the what, where and how of information visualization.
Enhanced Threat Intelligence
Visualizing and executing on indicator information is often spread across disparate tool sets, resulting in persistent silos that hamper security performance. Threat intel enhancements in Demisto v5.0 allow users to access rich indicator intelligence from integrated sources and take action on them in a scalable manner. You can create custom indicator layouts that display relevant data for each indicator type and put this data to use by leveraging Demisto’s orchestration and automation.
Custom Indicator Layouts
You can customize indicator summary layouts in Demisto v5.0, either by choosing from out of the box sections or creating your own sections and indicator fields from scratch. Just like snowflakes (but in a bad way), no two indicators are exactly the same, so it makes sense to give you the power to visualize indicators the way you see fit.
In the GIF below, we add a ‘Reputation’ section to the URL indicator summary (which is one of the OOTB Demisto sections available to you).
Figure 4: Adding OOTB sections to indicator layouts
If you prefer your suits tailored to fit, you can also create sections from scratch and populate them with relevant indicator fields of your choosing. In the GIF below, we add a new section to the common vulnerabilities and exposures (CVE) indicator summary and populate it with fields that will provide information about the malware family, detection engines and custom comments.
Figure 5: Creating and populating new section in indicator layout builder
We know that using multiple enterprise security products often turns into an exercise in load management, with your computing resources wheezing for mercy as alert volumes rise. To ensure that your Demisto deployment continues running like Usain Bolt on Red Bull, you can now install the Demisto app server and databases on separate machines. These multi-tier configurations let you scale your environment and manage resources efficiently.
Demisto v5.0 supports two multi-tier configurations:
- One app server and one database server on separate machines.
- One app server and multiple database servers on separate machines.
These configurations are illustrated below.
Figure 6: Distributed database configurations in Demisto v5.0
Additional Release Highlights
Other features in Demisto v5.0 include:
- SOAR on the fly: No worries, you can step away from that computer screen for a second. Demisto v5.0 introduces chat support in the mobile application, letting you update relevant stakeholders on the go. You can also manage notifications from the web app, choosing to receive updates on email, Slack, Mattermost or the mobile app.
- Clearing the fog of war: You can now select which entry types to filter out from the War Room. You can also copy the entryID of a War Room entry to the clipboard, allowing for seamless transitions to automated or ad hoc tasks using the War Room entry as input. If you have a Demisto support account, you can learn more about War Room filtering here.
- Putting the ‘play’ in playbooks: Our playbooks become more Lego-like by the day. You can now map outputs to fields while configuring a playbook task, automatically populating the field with its mapped key value. You can also edit OOTB playbooks now without duplicating them. Just detach them from content updates and edit to your heart’s content!
- File hash consolidation: Starting from Demisto v5.0, file objects will use a single file indicator. This means that file indicators will appear with their SHA256 hash, with all other hashes (MD5, SHA1, SSDeep, etc.) being displayed as properties of the same indicator. You can learn more about hash consolidation here (support account needed).
- Loop the loop: While working with sub-playbooks, you can now pass an array of inputs to a task and have it loop through the inputs. This ability should be useful in instances like sifting through a list of email addresses and the different subject text for each address. More info can be found here if you have a Demisto support account.
For more details about the features in Demisto v5.0, you can view the release notes on our support portal (if you have a Demisto support account).
If you’re an existing Demisto Community Edition user, we hope you’ve enjoyed your time so far and that these enhancements will help further improve your security operations. If you haven’t tried Demisto yet, we hope these new features are the nudge that sends you SOARing!
We’d love it if you gave us your honest feedback on the #demisto-discussions Slack channel in our DFIR community. You can also email firstname.lastname@example.org if you’re a stamps-and-letters kind of person.
We invite you to upgrade to Demisto v5.0 by downloading our new Community Edition.