Provides an example of a job triggered by a delta in a feed to process incoming indicators and a time triggered job to push indicators to a SIEM.
In this example, when indicators are fetched from a threat intel feed, a job triggers a playbook to enrich the indicators to determine which indicators should be investigated. A time triggered job then pushes the relevant indicators to your SIEM.
Use the following integration and playbooks to ingest and process the indicators.
Content item | Description |
---|---|
Unit 42 Intel Objects Feed integration | This integration fetches a list of threat intel objects, including Campaigns, Threat Actors, Malware, and Attack Patterns, provided by Palo Alto Network's Unit 42 threat researchers. |
TIM - Process Indicators - Manual Review playbook | This playbook tags indicators ingested by feeds that require manual approval. To enable this playbook, the indicator query needs to be configured. The playbook uses the Indicator Auto Processing sub-playbook, which identifies indicators that should not be added to a blocked list, such as IP indicators that belong to business partners or important hashes. For the TIM - Process Indicators - Manual Review playbook to run, it needs to be triggered by a job. The job concludes by creating a new incident that includes all the indicators that the analyst must review. |
TIM - Add All TIM - Add All Indicators Types to SIEM playbook | This playbook sends to the SIEM only indicators (IP, bad hash, domains, and URLs) that have been processed and tagged accordingly after an automatic or manual review process. By default, the playbook is configured to work with ArcSight and QRadar, but change this to match the SIEM in your system. |