Provides an example of a job triggered by a delta in a feed to process incoming indicators.
In this example, when indicators are fetched from a threat intel feed, a job triggers a playbook to enrich the indicators to determine which indicators should be investigated.
Use the following integration and playbook to ingest and process the indicators
Content item | Description |
---|---|
Unit 42 Intel Objects Feed integration | This integration fetches a list of threat intel objects, including Campaigns, Threat Actors, Malware, and Attack Patterns, provided by Palo Alto Network's Unit 42 threat researchers. |
TIM - Process Indicators - Manual Review playbook | This playbook tags indicators ingested by feeds that require manual approval. To enable this playbook, the indicator query needs to be configured. The playbook uses the Indicator Auto Processing sub-playbook, which identifies indicators that should not be added to a blocked list, such as IP indicators that belong to business partners or important hashes. For the TIM - Process Indicators - Manual Review playbook to run, it needs to be triggered by a job. The job concludes by creating a new incident that includes all the indicators that the analyst must review. |