Release Notes: Here's What's New in Your Ontic Platform (v17.1)

Release Date: January 20th, 2023

TABLE OF CONTENTS

• Enhancements
  • Investigations
    • User editing permissions for Investigations
    • Notifying users when Investigations are created
    • Add in incidents from within an investigation
    • Have More Than One Primary Subject In An Investigation
    • Investigation Step 3 Primary Subject - Changes in Selections and Flow
    • Create An Entity Instead Of Profile for Investigations 
    • Select multiple sub-categories in Investigation or Incidents
    • Send alerts to the working team when an Investigation closes.
    • Set permissions for Investigation and Incident Dashboards
    • Change source of investigation after it has been created
  • Incidents
    • Auto-fill Incident-Location based on the selected Principal’s Location
  • Field Workflow
    • Put in the hierarchies to the status workflows and alerting
  • Principals
    • Add location coordinates while importing Principals or OSINT signals
    • Auto-update Principal fields from Task actions
    • View all associated Incidents and Signals from Principal’s profile 
  • Real Time Events
    • RTE Dashboard
  • Profiles
    • Display message while converting profile to Entity
  • Dark Web
    • Expose Hackishness score and add filter/sort functionality
    • Implement New Dark Web API Enhancements
  • TLO Enhancements
    • TLO - Search  Enhancements - Expand Search Results
    • TLO Search Results Enhancement
  • Envoy Integration Enhancements
    • Validation for Envoy field mapping
    • Ability to add whitelisting conditions
    • Ability to add invite workflow in Envoy integration

Enhancements

Investigations

User editing permissions for Investigations

What it is: Granular edit permission controls for investigations, incidents, and entities

Why it matters: It helps in maintaining compliance for auditing and legal needs. It will prevent information leakage about incidents or investigations to users who do not need to know this information.

Notifying users when Investigations are created

What it is: We have brought two enhancements here:

1. Notifying users that an investigation is being created in Step 1 of the Investigation creation workflow.

2. Improving user experience: Notifying users to confirm leaving the investigation window if they cancel the investigation creation workflow in any of the four steps.

Why it matters: This improves user experience and gives the user better control and visibility of the investigation creation workflow.

How it works: A user will have visibility when the investigation is being created as well as being notified if they accidentally leave the 4-step workflow to reconfirm if they want to stop creating the investigation.

Add in incidents from within an investigation

What it is: Ability to add in incidents from within an investigation.

Why it matters: Currently, users can only add existing incidents to an investigation from within an investigation. This new capability will bring parity with the ability to create new Entities and profiles from within an investigation.

How it works: Go to any investigation. Click on the ‘Association’ Tab. Click on ‘Add’ on the right side of the screen. You’ll be taken to this popup:

Click on “Incident”. You can then search for your incident or create one from scratch:

Have More Than One Primary Subject In An Investigation

What it is: Ability to have more than one primary subject in an investigation.

Why it matters:  Currently, while associating an Entity to the investigation only one can be marked as the primary subject. This new capability will now allow users to elevate one or more people to primary subjects while creating or detailing an investigation.

How it works: There are two methods for adding multiple primary subjects.  The First is through the creation of the investigation and the second is after an investigation is created.  

When creating an investigation in the 3rd step “Primary Subject”.  Users can now create and or associate multiple existing profiles or entities as primary subjects of the investigation. 

Multiple subjects can be created from the “+ Create New” icon if the subject you are entering already exists in Ontic, a possible match is displayed on the right and can be selected just by clicking on the card.  If the user knows the subject already exists in Ontic multiple subjects can also be added by “Associate Existing”.

When an investigation is created navigate to the Investigation Overview tab, and the Investigation Details section.  Next to “Primary Subjects” select the edit icon.  This will open a window to select associated profiles and entities, selecting the plus icon will add them as a primary subject.  Once the necessary associations have been added select “Save Changes”.

Investigation Step 3 Primary Subject - Changes in Selections and Flow

What it is: A minor change was made to reduce the number of possible choices in Step 3 from three down to two.  The previous three choices (I know some details, primary subject is an existing entity/profile, and I don’t know anything), have been reduced to two choices (Enter information on primary subject or No Primary Subject Associated. 

Why it matters: Efficiency and ease in entering data, lessens chances of duplications, and straight forward direction of what is being asked.

Create An Entity Instead Of Profile for Investigations 

What it is: Ability to create an entity as a primary subject while creating an investigation.

Why it matters: Currently, when a user knows some details about the primary subject, only a profile gets created. The user has to convert the profile into an Entity later in the process. This capability will allow users to create Entities directly as a primary subject. 

How it works: When you click on the “+ Create New” Icon the choices to create as an entity or as a profile will be at the top prior to entering in the individual's information.  

Select multiple sub-categories in Investigation or Incidents

What it is: Ability to have multi-select sub-categories for both investigations and incidents. 

Why it matters: Currently, users can select only a single sub-category for an investigation or incident but an investigation could have multiple reasons for taking place. We need this information for our data to be more accurate and trustworthy.

How it works: With the standard field of Sub Categories exposed a user can select more than one Sub Category to apply to the investigation.

Send alerts to the working team when an Investigation closes.

What it is: Ability to send alerts to the working team when an Investigation closes.

Why it matters: Currently, when an investigation is closed only the Lead Investigator can be notified. It will enable users to notify the working team as well.

How it works:  There are two methods for sending alerts on the close of an Investigation.  

1. Within the field workflow, the transitions between status have Actions.  You could send the alert at any transition (ie. New to Pending, or Review Pending to Closed).  Within the Action of the transition select “Send Alert To”.  The choices for these fields are Users, User Groups, User Fields, or Asset Fields (which currently include Lead Investigator and Working Team).

2. Administration → Rules → For the “When” Select Investigation Status Changed = (whatever status you choose, ie. “Closed”).  For “Then” select if the alerts are going to User, User Group, or Lead Investigator.

Set permissions for Investigation and Incident Dashboards

What it is: Ability to set permission for Investigation and Incident dashboard.

Why it matters: Currently, users can not set permissions for investigation and incident dashboards.

How it works : Add Investigation Dashboard permission under roles -> Actions. Similar to Entity Dashboard permissions.

Change source of investigation after it has been created

What it is: Change the source of the investigation after it has been created. 

Why it matters: Previously, the source was frozen and not a selection-based field. This helps when a user creates an investigation without a source and wants to add a source later.

How it works: A tool tip now appears as shown in the screenshot. Upon clicking the same as shown in the screenshot below, the user will have a list of sources/signals associated with the investigation that can now be made the source of the investigation.

Incidents

Auto-fill Incident-Location based on the selected Principal’s Location

What it is: While creating an Incident and selecting an Associated Principal (AP), if the AP is of location type, then the Incident Location is pre-filled with the address of the AP. In the event that there are multiple Principals selected, the location of the first selected Principal will be displayed. 

Help-text is also added below Incident Location highlighting the above described change. Users can change Incident Location to any custom location, but if the User chooses Principal again, the system will overwrite Incident Location as per the above flow (Location Principal’s primary location). See below.

Why it matters: It improves the experience for the user by having a lesser number of clicks and aiding productivity; it will also help minimize any errors that will come in via manual interventions while inputting locations.

How it works: Here is what the enhanced flow looks like:

Field Workflow

Put in the hierarchies to the status workflows and alerting

What it is: Ability to put in the hierarchies to the status workflows and alerting by copying the user's field in the asset field. For example:

• The “Lead investigator” value can be updated to a logged-in user or any other specific user.

• In addition to asset fields values users field values can also be set to asset fields. For example: “Lead investigator” can be updated to User’s Manager.

Why it matters: Currently, while transitioning statuses, users can only modify Incident/Investigation fields with values associated to an incident/investigation. 

Use Case: 

1. User ‘X’ wants to submit an incident for approval to his manager and only the user's Manager can see the submitted incident.  

2. Incident status changes from Draft to pending for approval. 

3. Manager can see incidents submitted only by his team members.  

4. Once the user submits an incident to his manager, User X can not edit the incident.

How it works:

1. Users set up a field workflow for incidents. 

2. On status transition from “draft” to “pending for approval”, click on “Actions” tab -> Asset update. 

3. Select “Copy Update”. 

4. Select “User” in “Copy From” and Select “Manager” in “Select user field” and “Assignee” in “select incident field”. This will copy the user's manager name in the assigned field.

Set up an alert to send email to the assignee. When an incident is submitted it will send an email to the user’s manager whose name is set in the “assignee” field.

Ensure that the user's manager can see only those incidents which are submitted by his team members:

• Go to Roles -> Content viewing (permissions) - Incident

• Select “Created by my team members”

Once an incident is submitted, the incident creator can only view the incident:

• Go to Roles -> Action (Permissions) -> Signals-> Incidents. 

• Click on the “Setting” button on Edit.

• Set the status = Draft. This will allow the Incident creator to edit incidents ONLY when an incident is in “Draft” status.

Principals

Add location coordinates while importing Principals or OSINT signals

What it is: Users now have the ability to add longitude and latitude to the template while importing Principals and OSINT signals.

Why it matters: Earlier users had to manually update the location after importing Principals and this was a large pain and time sink.

Auto-update Principal fields from Task actions

What it is: After completing a task, user can update fields of Principal or/and copy task attachments to the Principal files section

Why it matters: Users had to manually update fields after completing the task. Now, it is automated which saves a lot of time and effort for the user.

View all associated Incidents and Signals from Principal’s profile 

What it is: Users now have the ability to see all incidents and signals that are associated with the principal from the principal’s profile page.

Why it matters: This will allow users to more easily see incidents related to their principals which will allow them to easily assess part of the risk to their principals. It saves a lot of time and effort for users.

How it works: Go to 9 Dots menu → Manage → Principal → Monitoring

Real Time Events

RTE Dashboard

What: Real Time Events Standard Dashboard within Metrics

Why: Previously, clients did not have the ability to view aggregate metrics on signals for RTE. Moving forward, this will support custom widgets

How: Go to Metrics→Real Time Events. Here is a snapshot of the data you’ll have access to:

Profiles

Display message while converting profile to Entity

What it is: A prompt that acts as a confirmation dialogue and precautionary step while converting a profile to entity.

Why it matters: Improves user experience and re-verifies converting a profile to entity. 

How it works: The following prompt will appear when converting a profile to entity.

Dark Web

Expose Hackishness score and add filter/sort functionality

What it is: We are bringing in the ‘Hackishness’ rating to our Dark Web offering. This is an algorithmically classified index which is intended to predict the likelihood that the content could be used for criminal activity. You can now sort and filter within your Dark Web feed based on this score.

Why it matters: The ‘hackishness’ score will help you manage the noise within your Dark Web Feed and give you another tool to help identify the most relevant content when it comes to protecting your business and Principals.

How it works: 

The Hackishness index can be seen within the Dark Web Signal in Feeds. It can also be applied as a ‘Sort’ to surface content with the highest indexed score to the top. 

Note: Hackishness score is useful for eliminating low-level hits of PII, but cannot interpret conversations and understand if there is criminal intent involved. 

Implement New Dark Web API Enhancements

What it is: We are revamping our Dark Web feeds with some additional data points. This includes: 

• Leak - Identifies content that was a part of a known data breach

• Language - Detected language of the original post

• Groups - the Topic Builder will allow filtering based on: authenticated, chans, blogs, darknets, forums, markets, pastes, ransomware

Why it matters: These added data points within the Topic Builder will allow for more accurate and efficient query building. Additionally, these data points can be applied as a filter so that you can better customize your Dark Web data feeds.

How it works: 

Within Topic Builder: Leaks, Language, and Groups are now available to apply as filters to refine the results of the query.

Leaks - refers to a known data leak that has been given a name. To limit the query to only return results within the data breaches, you can select the ones of interest.

Language - you can limit the query to only pull content from certain languages. Within Feeds, you can continue to apply Google Translate on the posts. However within Topic Builder, this is a way to filter based on the language of the original post.

Groups - Within Topic Builder, you can select content based on its Group (Chans, Blogs, Forums, etc). This can help narrow-in your queries to more specific subsets of data to eliminate noise and return more accurate results.

TLO Enhancements

TLO - Search  Enhancements - Expand Search Results

What it is:  Search enhancement to expand the TLO results returned on a subject to find those results that best match the search parameters.  

Why it matters:  This enhancement now ensures that if the data parameters entered are slightly off, the user will not get back empty results, and the best matching results will be surfaced.  This saves the user time without having to re-enter search parameters and does not make the user trial and error with which search parameters are best to enter to start a search. 

How it Works:  The search logic has already been automatically entered into the search.  A checkbox is exposed “Expand search if subject not found”, and all new searches will have this checkbox automatically selected.   If a user would prefer to only find the results that match specifically that were entered.  Uncheck this box if the search results should only return results that match exactly what is entered.

TLO Search Results Enhancement

What it is: 

1. All DOB Responses In Person Search Exposed

2. Person Comprehensive Report Vehicle Information Indicates if Vehicle Registration is “Current”

3. Person Comprehensive Report Now Contains full Business & Corporation data

Why it matters:  Exposing as much information as possible to make the most informed decisions.  Some results can have multiple dates of birth and the primary date of birth exposed by TLO, may not be the correct date of birth, exposing the additional dates listed for the individual will assist in piecing things together.  While knowing all vehicles in a person's history is beneficial, being able to select only the current will help in knowing specifically what to look for.

How it Works:

1. All DOB Responses In Person Search Exposed.  All reported dates of birth are exposed, with the primary DOB being listed first.  Users can only select and apply one date of birth.

2. Person Comprehensive Report Vehicle Information Indicates if Vehicle Registration is “Current”.  All vehicle history information is exposed with the same registration information; however, the individuals current vehicles will have the “Current” tag on them 

Go to TLO Comprehensive report -> Vehicle section. 

3. Person Comprehensive Report Now Contains full Business & Corporation data

Data  exposed in Comprehensive Report:

• Corporation / Business Name(s)

• Corporation / Business Type

• File / Start Date

• File Number

• Status

• Status Date

• Registered Agent (Name & Address)

• Officer(s) Information (Name(s) & Address(es))

• State

• Filing Office

• Phone numbers, Emails, websites, FEIN#, D&B# (provided on business details)

View via Comprehensive Result

View via Export

Envoy Integration Enhancements

Validation for Envoy field mapping

What it is: Validation in App Directory which tells the user that the flow will be in an inactive state until the mapping is completed.

Why it matters: Users could previously whitelist any Envoy flow whether or not the mapping had been completed. However, without completing the mapping, the integration cannot work. 

This enhancement helps identify to a user the status of the mapping, which was previously not visible.

How it works

1. User completes the mapping for Envoy in App Directory:

2. Based on the level of mapping, the user can see mapping status (Not Mapped, Partial Papped, Mapped).

Ability to add whitelisting conditions

What it is:  Ability to define whitelisting conditions to avoid false-positive matches of individuals who are known to be cleared.

Why it matters: Currently, users can only define the conditions and signals are pulled when these conditions are present. 

If there is a known Entity with a common name that is logged within the Entity database, this can cause false-positive matches with other visitors. Previously, there was no way to flag whitelisted information, which will be automatically cleared and avoid disrupting the Envoy check-in workflow.

Whitelisting conditions will enable users to define the conditions which will ignore false-positive matches when met.

How it works

1. Click on Settings icon → ‘Whitelist Exceptions’

2. Enter the Whitelist conditions based on Name, Email, or Phone Number

Ability to add invite workflow in Envoy integration

What it is: 

Ontic’s integration with Envoy now supports Invitees in addition to Visitors. Ontic can detect potential matches against the database of entities, and surface Signals and alerts to be actioned by security.

Why it matters:  

Invitees are often invited weeks or months in advance. This allows Security teams to get advance notice on matches through Signals. They can take action on potential risks, or clear false-positives that occur from common names before the person arrives on-site. 

How it works:

Envoy Invitee workflow can be configured within the App Directory. Please reach out to Client Success for more information on this workflow.