Create jobs to process indicators example - Administrator Guide - 8.5 - Cortex XSOAR - Cortex - Security Operations

Cortex XSOAR On-prem Documentation

Product
Cortex XSOAR
Version
8.5
Creation date
2024-03-10
Last date published
2024-11-28
Category
Administrator Guide
Solution
On-prem
Abstract

Provides an example of a job triggered by a delta in a feed to process incoming indicators and a time triggered job to push indicators to a SIEM.

In this example, when indicators are fetched from a threat intel feed, a job triggers a playbook to enrich the indicators to determine which indicators should be investigated. A time triggered job then pushes the relevant indicators to your SIEM.

Use the following integration and playbooks to ingest and process the indicators.

Content item

Description

Unit 42 Intel Objects Feed integration

This integration fetches a list of threat intel objects, including Campaigns, Threat Actors, Malware, and Attack Patterns, provided by Palo Alto Network's Unit 42 threat researchers.

TIM - Process Indicators - Manual Review playbook

This playbook tags indicators ingested by feeds that require manual approval. To enable this playbook, the indicator query needs to be configured. The playbook uses the Indicator Auto Processing sub-playbook, which identifies indicators that should not be added to a blocked list, such as IP indicators that belong to business partners or important hashes.

For the TIM - Process Indicators - Manual Review playbook to run, it needs to be triggered by a job. The job concludes by creating a new incident that includes all the indicators that the analyst must review.

TIM - Add All TIM - Add All Indicators Types to SIEM playbook

This playbook sends to the SIEM only indicators (IP, bad hash, domains, and URLs) that have been processed and tagged accordingly after an automatic or manual review process.

By default, the playbook is configured to work with ArcSight and QRadar, but change this to match the SIEM in your system.

If you have a TIM license, this feed is preconfigured.

  1. Go to Settings & InfoSettingsIntegrationsInstance and search for Unit 42 Intel Objects Feed.

  2. Click Add instance.

  3. In the Collect section, select Fetches indicators.

  4. Test the Feed to ensure that it is working correctly.

  5. Save and Exit.

Before customizing the playbook, we recommend creating a list of indicators that you want to exclude from the manual review process. In this example, we will create a list of business partner IP addresses.

  1. Select Settings & InfoSettingsAdvancedListsAdd a List.

  2. Enter a meaningful name for the list. For example, BusinessPartnersIPaddresses.

  3. In the Content Type field, select Text.

  4. Select who can view or edit the list in the PERMISSIONS section.

  5. In the list enter a comma-separated list of IP addresses of your business partners.

  6. Save the list.

  1. Go to Playbooks and search for TIM - Process Indicators - Manual Review and either detach or duplicate the playbook.

    Note

    If you detach a playbook, it does not receive content pack updates until it is reattached, but then your changes are discarded. Duplicate the playbook if you want to receive content pack updates and keep your changes.

  2. Click the Playbook Triggered task at the top of the playbook.

    1. Change From Context dataInputsGeneral (Inputs group)OpenIncidentToReviewIndicatorsManually the value to Yes, so an incident with the indicators for review is created.

    2. Select the From indicators radio button.

    3. Under Query, enter a query to process the specific indicators that you want. For example, sourceBrands:"Unit42IntelObjectsFeed".

    4. Save the task and then save the playbook.

  3. Update the TIM - Indicator Auto Processing sub-playbook and either detach or duplicate the playbook.

    1. To exclude business partner IP addresses that you defined in Task 2, locate and edit the TIM - Process Indicators Against Business Partners IP List task.

    2. From the Inputs tab, under BusinessPartnersIPListName, select the source, and under LISTS, add the created list.

    3. Save the task.

  4. Save the playbook.

  1. Go to JobsNew JobTriggered by delta in feed.

  2. Go to Incident ResponseJobsNew JobTriggered by delta in feed.

  3. From the TRIGGERS section, select Specific feeds and add the feed configured in Task 1.

  4. Add the name of the job.

  5. In the Playbook field, add the playbook customized in Task 3.

  6. Create the job.

    Whenever indicators are ingested from Unit 42, the playbook runs and creates an incident if an incident needs to be reviewed. You can track the status of the job in the table on the Jobs page.

    You can now add indicators to a SIEM.

  1. Go to Playbooks and search for TIM - Add All Indicator Types to SIEM and either detach or duplicate the playbook.

    Note

    If you detach a playbook, it does not receive content pack updates until it is reattached, but then your changes are discarded. Duplicate the playbook if you want to receive content pack updates and keep your changes.

  2. Click the Playbook Triggered task at the top of the playbook.

    1. Select From indicators and set the query for the indicators to add. For example tags:approved_black, approved_white.

      The purpose of the playbook is to send to the SIEM only indicators that have been processed and tagged accordingly after an automatic or manual review process. The playbook comes out-of-the-box with queries that you can update if required.

    2. Save the playbook.

      Ensure the playbook includes a task that closes the investigation once it is completed.

  1. Select JobsNew Job.

  2. Select Time Triggered.

  3. (Optional) Select Recurring and determine how often you want the job to run. For example, run once a day at midnight.

  4. Enter a name for the job.

  5. In the Playbook field, select the TIM - Add All Indicator Types To SIEM playbook to run.

  6. Create new job.

    Whenever an indicator is ingested that has a relevant tag such as approved_list, the job pushes that indicator to the SIEM.

  1. Open the job that you created to process indicators from Task 3.

    You can tag any indicator with the tags that you want to push. It does not have to be this job.

  2. In the Work Plan, open the Create Process Indicators Manually incident task.

  3. In the Outputs tab, copy the incident ID for the incident that was created.

  4. Go to Incidents and search for the incident ID that was created.

  5. Review the indicators and update the indicators with tags that you want to push to the SIEM.

  6. When finished with the review, in the Work Plan, click the Manually review the incident task, select Yes, and Mark Completed.

  7. Select the job you defined in Task 6 and click Run now.

  8. Go to Indicators and run the query tags:SIEM .

    This tag is appended to every indicator that has been processed and pushed to the SIEM.