Incident ResponderIncident Responder

Table of Contents

Incident Responder i56 Release Notes

Incident Responder i56 includes features that support new turnkey playbooks, email notifications for playbook outputs, and new playbook triggers.

What's New

New Turnkey Playbooks

Pre-configured playbooks are ready to run for phishing and malware threats.

We launched turnkey playbooks with the Threat Intelligence Reputation Lookup turnkey playbook. Now, you have turnkey playbooks that address phishing and malware threats.

The Phishing turnkey playbook is an extended version of the existing Threat Intelligence Reputation Lookup turnkey playbook. It similarly analyzes and triages suspicious emails, but also gathers data from Advanced Analytics and detonates files in a sandbox if the email is considered malicious.

The Malware turnkey playbook helps you analyze, triage, and detonate suspicious files that may be potential malware. Depending on the reputation of the file entities and their related hashes, it changes the incident's priority and comments on the incident.

Exabeam Documentation: Phishing Turnkey Playbook

Exabeam Documentation: Malware Turnkey Playbook

Get Notified about Playbook Outputs

Use the Notify by Email Exabeam action to get notified by email about your playbook outputs.

When used in a playbook, the new Notify by Email action sends you an email notifying you about a playbook's outputs. While you can manually run the action on its own, it was designed to be used only as a playbook action node.

When you configure the action, you must select an email template, which determines the email subject line and body. There are two out-of-the-box templates: Phishing email received and Phishing email (benign) received. The Phishing email received email template notifies you that the playbook found a malicious phishing email. The Phishing (benign) received email template notifies you that the playbook found an unsolicited spam email. Modify these templates or create ones that better suit your playbooks.

Exabeam Documentation: Create an Email Template for the Notify by Email Action

New Playbook Triggers

Automatically run playbooks under more scenarios with three new playbook triggers.

Previously, you could automatically run playbooks using three triggers: incident created, status changed, and priority changed. We added three more triggers so you can automatically run playbooks under more scenarios: queue changed, assignee changed, and incident type changed.

Exabeam Documentation: Playbook Triggers

Exabeam Documentation: Create a Playbook Trigger

Known Issues

This release does not include known issues for Incident Responder.

Issues Fixed in Incident Responder i56.5 (General Availability)

SOAR-12697

Incident Responder incorrectly indicated that any playbooks using the Send Email action contained errors. Optional inputs were incorrectly evaluated as required, and the playbook couldn't be validated. This issue has been resolved.

Issues Fixed in Incident Responder i56.6

ACTN-3740

You couldn't configure Elasticsearch as a service and received a Failed to connect to Elasticsearch: Expecting value error. The Elasticsearch API uses both HTTP and HTTPS, but the Exabeam actions for the Elasticsearch service only supported HTTP, not HTTPS. Now, the actions support both HTTP and HTTPS. Instead of entering the host and port in separate fields, you enter the uniform resource identifier (URI) scheme, host, and port under a single field, Base URL.

ACTN-3754, SOAR-12659

Cisco Umbrella Investigate's Get URL Reputation action failed to run: you didn't see any outputs in the workbench or you received a 403 Client Error. This issue occurred if your API key can't batch request information about multiple domains at once. Now, when you configure Cisco Umbrella Investigate as a service, you must select whether your API key type allows batch requests. If you previously configured Cisco Umbrella Investigate as a service, after you upgrade to i56.6, reconfigure the service to select this setting. To determine whether your API key type allows batch requests, contact Cisco technical support services.

Issues Fixed in Incident Responder i56.7

ACTN-3781

The Notify by email action incorrectly sent email notifications with the subject Exabeam Incident Response, instead of the custom subject you defined. This issue has been resolved.

ACTN-3769

You couldn't run the FireEyeHX Hunt File action. The action didn't appear in your environment, or you received an error when you ran the action: FireEyeHX failed to create a search request: 422 – Unprocessable Entity. There was an error in the action logic. This error has been resolved.

Issues Fixed in Incident Responder i56.8

This release does not include fixed issues for Incident Responder.

Issues Fixed in Incident Responder i56.9

This release does not include fixed issues for Incident Responder.

Issues Fixed in Incident Responder i56.10

This release does not include fixed issues for Incident Responder.

Issues Fixed in Incident Responder i56.11

ACTN-3831

Because of a limitation with the ThreatConnect API, the ThreatConnect service could only get an indicator's reputation from one owner; to get an indicator's reputation from multiple owners, you configured multiple instances of the ThreatConnect service. To resolve this issue, the ThreatConnect service now makes an additional API call that returns all owners at once. Now, you only need to configure one ThreatConnect service to get an indicator's reputation from all owners.