Typical use cases for analysts and how to set up the use cases by administrators.
The following examples illustrate typical use cases for Threat Intel Management analysts.
In this example, Firewall Admins are responsible for ensuring employees can always access SaaS applications such as Zoom and Office 365. They need to manage a stream of inbound change requests from the security team and other business units. Regardless of these daily changes, critical apps must always be allowed. The network infrastructure of SaaS applications is constantly changing/rotating IP addresses and Domains.
Indicator prioritization. Cortex XSIAM can ingest phishing alerts from email inboxes through integrations. Once an alert is ingested, a playbook is triggered and can have any combination of automated or manual actions that users desire. The playbooks can have filters and conditions that execute different branches depending on certain values.
Configure a feed integration such as Office 365, Amazon AWS, or Unit 42.
Go to Settings → Configurations → Data Collections → Automation & Feed Integrations and in the Category field, select Threat Intel Feeds.
Locate the relevant integration and select Add Instance.
In this example, add the AWS feed.
Set up the instance. In the Indicator Reputation field, select Benign.
Test and save the instance.
(Optional) Configure a playbook to filter indicators according to your requirements.
For example, the TIM - Indicator Auto Processing playbook identifies indicators that shouldn’t be added to a block list, such as IP indicators that belong to business partners or important hashes you do not wish to process.
Go to the Indicators page and run the following search to return IP, IPv6 or IPv6CIDR results:
sourceBrands:"AWS Feed" and expirationStatus:active and type:IP or type:IPv6 or type:IPv6CIDR
Configure the Generic Export Indicator Service integration.
On the Automation & Feed Integrations page, search for Generic Export Indicators Service and Add instance.
In the Indicator Query field, add the query in step 3.
Add the remaining fields, test, and save.
Test the EDL by running the Curl command:
curl -v-u- user:pass https://ext-<tenant>crtx<region>.paloaltonetworks.com/xsoar/instance/execute/<instance-name>
The security team needs to leverage threat intelligence to block or alert on known bad domains, IPs, hashes, etc. (indicators). The indicators are collected from many sources, which need to be normalized, scored, and analyzed before pushing to security devices such as firewalls for alerting. Detection tools can only handle limited amounts of threat intelligence data and need to constantly re-prioritize indicators.
Solution
Indicator prioritization. Cortex XSIAM can ingest phishing alerts from email inboxes through integrations. Once an alert is ingested, a playbook is triggered and can have any combination of automated or manual actions that users desire. The playbooks can have filters and conditions that execute different branches depending on certain values.
Configure feed integrations such as Unit 42 ATOMs feed, TAXII feed, etc.
Go to Settings → Configurations → Data Collections → Automation & Feed Integrations and in the Category field, select Threat Intel Feeds.
Locate the relevant integration and select Add Instance.
Set up the instance.
In the Indicator Reputation field, blank.
Test and save the instance,
(Optional) Configure a playbook to filter indicators according to your requirements.
For example, the TIM - Indicator Auto Processing playbook identifies indicators that shouldn’t be added to a block list, such as IP indicators that belong to business partners or important hashes you do not wish to process.
Go to the Indicators page and run the following search to return IP addresses with the verdict malicious with high reliability:
expirationStatus:active and type:IP and verdict:malicious and aggregatedReliablitiy:A - Completely reliable
Configure the Generic Export Indicator Service integration.
On the Automation & Feed Integrations page, search for Generic Export Indicators Service and Add instance.
In the Indicator Query field, add the query in step 3.
Add the remaining fields, test, and save.
Test the EDL by running the Curl command:
curl -v-u- user:pass https://ext-<tenant>crtx<region>.paloaltonetworks.com/xsoar/instance/execute/<instance-name>
You can use this URL in your Next-Generation Firewall.
Incident Responders receive an endless stream of alerts, usually with little to no context of the external threat. Enriching alerts with curated threat intelligence from Unit 42 enables analysts to see the bigger picture and make more informed decisions when responding to alerts, ensuring comprehensive containment of the threat.
Most tools that Security Operations Centers and Incident Response teams use to respond to alerts are very generic. There is little correlation between network data and understanding of threats and attacker movements. There is often a dump of information, including bad IP addresses or domains, and someone has to be assigned to manually resolve to figure out false positives. There is also a lack of understanding of malicious families, hacking tools, and their patterns of attacks.
Accelerate alert response with TIM and alert enrichment using threat intelligence data. The incident enrichment workflow in Cortex XSIAM leverages threat intelligence from our centralized threat intelligence library, including information on:
Data from Unit 42 Intel to learn about known malware campaigns or families
IPs and domains with WHOIS data
Passive DNS data
Web categorization data
When investigating an alert, you can see information, such as affected hosts, affected users, and detailed information about the source and destination. You can deep dive into the indicator by clicking the indicator to see the verdict, sources, related alerts, file details, and relationships. If the indicator originated from Unit 42, in the Unit 42 Intel tab you can see additional information, such as static and dynamic analysis for a file.