In this example, you can set up a playbook to take indicators from a threat intel feed, enrich the indicators and determine which indicators should be investigated. In this example, we use the following:
Unit 42 Intel Objects Feed: Fetches a list of threat intel objects, including Campaigns, Threat Actors, Malware and Attack Patterns, provided by Palo Alto Network's Unit 42 threat researchers.
The TIM - Process Indicators - Manual Review playbook: Tags indicators ingested by feeds that require manual approval. To enable the playbook, the indicator query needs to be configured. The playbook uses the Indicator Auto Processing sub-playbook. This playbook uses several sub playbooks to process and tag indicators, which is used to identify indicators that shouldn't be added to a blocked list, such as IP indicators that belong to business partners or important hashes.
For the TIM - Process Indicators - Manual Review playbook to run, it needs to be triggered by a job. The job concludes by creating a new alert that includes all of the indicators that the analyst must review.
Configure the Unit 42 Intel Objects Feed.
Go to Unit 42 Intel Objects Feed and click Add instance.→ , search for
Select Fetches indicators.
Test the Feed to ensure that it is working correctly.
Save and Exit.
Create a list of indicators not to process.
Before customizing the playbook, it is recommended to create a list of indicators that you want to exclude from the manual review process. In this example, we will create a list of business partner IP addresses.
Select→ → → .
Enter a meaningful name for the list. For example, BusinessPartnersIPaddresses.
In the Content Type field, select Text.
Select who can view or edit the list in the PERMISSIONS section.
In the list enter a comma-separated list of IP addresses of your business partners.
Save the list.
Customize the TIM - Process Indicators - Manual Review playbook.
Go to Playbooks and search for TIM-Process Indicators - Manual Review and either detach or duplicate the playbook.
If you detach the playbook, it does not receive content pack updates, until attached. If you want to receive content pack updates and keep your changes you should duplicate the playbook.
Click the Playbook Triggered task at the top of the playbook.
Under Inputs in the
OpenIncidentToReviewIndicatorsManuallyfield, change the value to
Yes, so an incident with the indicators for review is created.
Select the From indicators radio button.
Under Query, enter a query to process the specific indicators that you want. For example,
Save the playbook.
Update the TIM - Indicator Auto Processing sub-playbook and either detach or duplicate the playbook.
To exclude business partner IP addresses that you defined in step 2, locate and edit the TIM - Process Indicators Against Business Partners IP List task.
From the Inputs tab, under BusinessPartnersIPListName, select the source and under LISTS, add the created list.
Save the playbook.
Make sure the playbook includes a task that closes the investigation once it completes. Save the playbook.
Define the job to run that will trigger the playbook when the indicators are fetched.
Select→ → .
From the TRIGGERS section, select Specific feeds and add the feed configured in step 1.
Enter a name for the job.
In the Playbook field, add the playbook customized in step 3.
Create the new job.
Whenever indicators are ingested from Unit 42, the playbook runs and creates an incident if an incident needs to be reviewed. You can track the status of the job in the Jobs table.
Test the job.
In the Jobs page, find the new job and click Running.
Go to Workplan.
You can see the stage the Work Plan has reached and whether any indicators need to be investigated.
(Optional) You can Add Indicators to SIEM Using a Time Triggered Job.