Process Indicators Using a Job Triggered By Delta in Feed - Threat Intel Management Guide - Cortex XSIAM - Cortex - Security Operations

Threat intel management

Product
Cortex XSIAM
Creation date
2023-07-30
Last date published
2024-04-15
Category
Threat Intel Management Guide
Abstract

Provides an example of using a job triggered by a delta in a feed to process incoming indicators.

In this example, set up a playbook to ingest indicators from a threat intel feed, enrich the indicators, and determine which indicators should be investigated. Use the following:

  • Unit 42 Intel Objects Feed: Fetches a list of threat intel objects, including Campaigns, Threat Actors, Malware, and Attack Patterns, provided by Palo Alto Network's Unit 42 threat researchers.

  • The TIM - Process Indicators - Manual Review playbook: Tags indicators ingested by feeds that require manual approval. To enable the playbook, the indicator query needs to be configured. The playbook uses the Indicator Auto Processing sub-playbook. This playbook uses several sub-playbooks to process and tag indicators, which is used to identify indicators that shouldn't be added to a blocked list, such as IP indicators that belong to business partners or important hashes.

    For the TIM - Process Indicators - Manual Review playbook to run, it needs to be triggered by a job. The job concludes by creating a new alert that includes all of the indicators that the analyst must review.

If you have a TIM license, this feed has been preconfigured.

  1. Go to Settings & InfoSettingsIntegrationsInstance and search for Unit 42 Intel Objects Feed.

  2. Click Add instance.

  3. In the Collect section, select Fetches indicators.

  4. Test the Feed to ensure that it is working correctly.

  5. Save and Exit.

Before customizing the playbook, we recommend creating a list of indicators that you want to exclude from the manual review process. In this example, we will create a list of business partner IP addresses.

  1. Select Settings & InfoSettingsAdvancedListsAdd a List.

  2. Enter a meaningful name for the list. For example, BusinessPartnersIPaddresses.

  3. In the Content Type field, select Text.

  4. Select who can view or edit the list in the PERMISSIONS section.

  5. In the list enter a comma-separated list of IP addresses of your business partners.

  6. Save the list.

  1. Go to Playbooks and search for TIM-Process Indicators - Manual Review and either detach or duplicate the playbook.

    Note

    If you detach the playbook, it does not receive content pack updates, until attached. If you want to receive content pack updates and keep your changes you should duplicate the playbook.

  2. Click the Playbook Triggered task at the top of the playbook.

    1. Change From Context dataInputsGeneral (Inputs group)OpenIncidentToReviewIndicatorsManually the value to Yes, so an incident with the indicators for review is created.

    2. Select the From indicators radio button.

    3. Under Query, enter a query to process the specific indicators that you want. For example, sourceBrands:"Unit42IntelObjectsFeed".

    4. Save the task and then save the playbook.

  3. Update the TIM - Indicator Auto Processing sub-playbook and either detach or duplicate the playbook.

    1. To exclude business partner IP addresses that you defined in step 2, locate and edit the TIM - Process Indicators Against Business Partners IP List task.

    2. From the Inputs tab, under BusinessPartnersIPListName, select the source, and under LISTS, add the created list.

    3. Save the task.

  4. Save the playbook.

  1. Select JobsNew JobTriggered by delta in feed.

  2. From the TRIGGERS section, select Specific feeds and add the feed configured in step 1.

  3. Add the name of the job.

  4. In the Playbook field, add the playbook customized in step 3.

  5. Create the job.

    Whenever indicators are ingested from Unit 42 the playbook runs and creates an incident if an incident needs to be reviewed. You can track the status of the job in the Jobs table.

    You can now add indicators to a SIEM.