Create jobs to process indicators example - Administrator Guide - Cortex XSIAM - Cortex - Security Operations

Cortex XSIAM Documentation

Product
Cortex XSIAM
Creation date
2024-03-06
Last date published
2024-11-28
Category
Administrator Guide
Abstract

Provides an example of a job triggered by a delta in a feed to process incoming indicators.

In this example, when indicators are fetched from a threat intel feed, a job triggers a playbook to enrich the indicators to determine which indicators should be investigated.

Use the following integration and playbook to ingest and process the indicators

Content item

Description

Unit 42 Intel Objects Feed integration

This integration fetches a list of threat intel objects, including Campaigns, Threat Actors, Malware, and Attack Patterns, provided by Palo Alto Network's Unit 42 threat researchers.

TIM - Process Indicators - Manual Review playbook

This playbook tags indicators ingested by feeds that require manual approval. To enable this playbook, the indicator query needs to be configured. The playbook uses the Indicator Auto Processing sub-playbook, which identifies indicators that should not be added to a blocked list, such as IP indicators that belong to business partners or important hashes.

For the TIM - Process Indicators - Manual Review playbook to run, it needs to be triggered by a job. The job concludes by creating a new incident that includes all the indicators that the analyst must review.

If you have a TIM license, this feed is preconfigured.

  1. Go to SettingsConfigurationsData CollectionAutomation & Feed Integrations and search for Unit 42 Intel Objects Feed.

  2. Click Add instance.

  3. In the Collect section, select Fetches indicators.

  4. Test the Feed to ensure that it is working correctly.

  5. Save and Exit.

Before customizing the playbook, we recommend creating a list of indicators that you want to exclude from the manual review process. In this example, we will create a list of business partner IP addresses.

  1. Select Settings & InfoSettingsAdvancedListsAdd a List.

  2. Enter a meaningful name for the list. For example, BusinessPartnersIPaddresses.

  3. In the Content Type field, select Text.

  4. Select who can view or edit the list in the PERMISSIONS section.

  5. In the list enter a comma-separated list of IP addresses of your business partners.

  6. Save the list.

  1. Go to Incident ResponsePlaybooks and search for TIM - Process Indicators - Manual Review and either detach or duplicate the playbook.

    Note

    If you detach a playbook, it does not receive content pack updates until it is reattached, but then your changes are discarded. Duplicate the playbook if you want to receive content pack updates and keep your changes.

  2. Click the Playbook Triggered task at the top of the playbook.

    1. Change From Context dataInputsGeneral (Inputs group)OpenIncidentToReviewIndicatorsManually the value to Yes, so an incident with the indicators for review is created.

    2. Select the From indicators radio button.

    3. Under Query, enter a query to process the specific indicators that you want. For example, sourceBrands:"Unit42IntelObjectsFeed".

    4. Save the task and then save the playbook.

  3. Update the TIM - Indicator Auto Processing sub-playbook and either detach or duplicate the playbook.

    1. To exclude business partner IP addresses that you defined in Task 2, locate and edit the TIM - Process Indicators Against Business Partners IP List task.

    2. From the Inputs tab, under BusinessPartnersIPListName, select the source, and under LISTS, add the created list.

    3. Save the task.

  4. Save the playbook.

  1. Go to Incident ResponseAutomationJobsNew JobTriggered by delta in feed.

  2. From the TRIGGERS section, select Specific feeds and add the feed configured in Task 1.

  3. Add the name of the job.

  4. In the Playbook field, add the playbook customized in Task 3.

  5. Create the job.

    Whenever indicators are ingested from Unit 42, the playbook runs and creates an incident if an incident needs to be reviewed. You can track the status of the job in the table on the Jobs page.

    You can now add indicators to a SIEM.