Provides an example of using a job triggered by a delta in a feed to process incoming indicators.
In this example, set up a playbook to ingest indicators from a threat intel feed, enrich the indicators, and determine which indicators should be investigated. Use the following:
Unit 42 Intel Objects Feed: Fetches a list of threat intel objects, including Campaigns, Threat Actors, Malware, and Attack Patterns, provided by Palo Alto Network's Unit 42 threat researchers.
The TIM - Process Indicators - Manual Review playbook: Tags indicators ingested by feeds that require manual approval. To enable the playbook, the indicator query needs to be configured. The playbook uses the Indicator Auto Processing sub-playbook. This playbook uses several sub-playbooks to process and tag indicators, which is used to identify indicators that shouldn't be added to a blocked list, such as IP indicators that belong to business partners or important hashes.
For the TIM - Process Indicators - Manual Review playbook to run, it needs to be triggered by a job. The job concludes by creating a new alert that includes all of the indicators that the analyst must review.