Set up a playbook to process indicators.
In this example, you can set up a playbook to take indicators from a threat intel feed, enrich the indicators and determine which indicators should be investigated. In this example, we use the following:
Unit 42 Intel Objects Feed: Fetches a list of threat intel objects, including Campaigns, Threat Actors, Malware and Attack Patterns, provided by Palo Alto Network's Unit 42 threat researchers.
The TIM - Process Indicators - Manual Review playbook: Tags indicators ingested by feeds that require manual approval. To enable the playbook, the indicator query needs to be configured. The playbook uses the Indicator Auto Processing sub-playbook. This playbook uses several sub playbooks to process and tag indicators, which is used to identify indicators that shouldn't be added to a blocked list, such as IP indicators that belong to business partners or important hashes.
For the TIM - Process Indicators - Manual Review playbook to run, it needs to be triggered by a job. The job concludes by creating a new alert that includes all of the indicators that the analyst must review.
Configure the Unit 42 Intel Objects Feed.
Go to Unit 42 Intel Objects Feed and click Add instance.
→ → and search forIn the Collect section, select Fetches indicators.
Test the Feed to ensure that it is working correctly.
Save and Exit.
Create a list of indicators not to process.
Before customizing the playbook, it is recommended to create a list of indicators that you want to exclude from the manual review process. In this example, we will create a list of business partner IP addresses.
Select
→ → → .Enter a meaningful name for the list. For example, BusinessPartnersIPaddresses.
In the Content Type field, select Text.
In the list enter a comma-separated list of IP addresses of your business partners.
Save Version.
Customize the TIM - Process Indicators - Manual Review playbook.
Go to TIM-Process Indicators - Manual Review and either detach or duplicate the playbook.
→ → and search forNote
If you detach the playbook, it does not receive content pack updates, until attached. If you want to receive content pack updates and keep your changes you should duplicate the playbook.
Click the Playbook Triggered task at the top of the playbook.
Under Inputs in the
OpenIncidentToReviewIndicatorsManually
field, change the value toYes
, so an alert with our indicators for review will be created.Select the From indicators radio button.
Under Query, enter a query to process the specific indicators that you want. For example,
sourceBrands:"Unit42IntelObjectsFeed"
.Save the playbook.
Update the TIM - Indicator Auto Processing sub-playbook and either detach or duplicate the playbook.
To exclude business partner IP addresses that you defined in step 2, locate and edit the TIM - Process Indicators Against Business Partners IP List task.
From the Inputs tab, under BusinessPartnersIPListName, select the source and under LISTS, add the created list.
Save the playbook.
Make sure the playbook includes a task that closes the investigation once it completes. Save the playbook.
Define the job to run that will trigger the playbook when the indicators are fetched.
Select
→ → .From the TRIGGERS section, select Specific feeds and add the feed configured in step 1.
Add a name for the job.
In the Playbook field, add the playbook created in step 1.
Create the new job.
Test the Job.
In the Jobs page, find the new job, and in the LAST RUN column, click the status to open the job.
Go to Work Plan.
You can see the stage the Work Plan has reached and whether any indicators need to be investigated.
Whenever indicators are ingested from Unit 42,the playbook runs and creates a job run. Go to the job and you see details (indicators, details of the job,etc) Work Plan and War Room.