Threat Intel Management use cases - Administrator Guide - Threat Intel Management Guide - 8 - Cortex XSOAR - Cortex - Security Operations

Cortex XSOAR Cloud Documentation

Product
Cortex XSOAR
Version
8
Creation date
2024-03-07
Last date published
2024-09-17
Category
Administrator Guide
Solution
Cloud
Abstract

Typical use cases for analysts and how to set up the use cases by administrators.

The following examples illustrate typical use cases for Threat Intel Management analysts, including how to configure playbooks and jobs for administrators.

In this example, Firewall Admins are responsible for ensuring employees can always access SaaS applications such as Zoom and Office 365. They need to manage a stream of inbound change requests from the security team and other business units. Regardless of these daily changes, critical apps must always be allowed. The network infrastructure of SaaS applications is constantly changing/rotating IP addresses and Domains.

tim-usecase.png
  1. Configure a feed integration such as Office 365, Amazon AWS, Unit 42, etc.

    1. Go to Settings & Info → Settings → Integrations → Instances and in the Category field, select Threat Intel Feeds.

    2. Locate the relevant integration and select Add Instance.

      In this example, add the AWS feed.

    3. Set up the instance. In the Indicator Reputation field, select Benign.

    4. Test and save the instance,

  2. (Optional) Configure a playbook to filter indicators according to your requirements.

    For example, the TIM - Indicator Auto Processing playbook identifies indicators that shouldn’t be added to a block list, such as IP indicators that belong to business partners or important hashes you do not wish to process.

  3. Go to Threat Intel page and run the following search to return IP, IPv6 or IPv6CIDR results:

    sourceBrands:"AWS Feed" and expirationStatus:active and type:IP or type:IPv6 or type:IPv6CIDR

  4. Configure the Generic Export Indicator Service integration.

    1. In the Instances page, search for Generic Export Indicators Service and Add instance.

    2. In the Indicator Query field, add the query in step 3.

    3. Add the remaining fields, test, and save.

  5. Test the EDL by running the Curl command: curl -v-u- user:pass https://ext-<tenant>crtx<region>.paloaltonetworks.com/xsoar/instance/execute/<instance-name>

The security team needs to leverage threat intelligence to block known bad domains, IPs, hashes, etc (indicators). The indicators are being collected from many different sources which need to be normalized, scored, and vetted (ensure not blocking business partners) before pushing to security devices such as Firewalls for blocking.

tim-usecase-1.png
  1. Configure feed integrations such as Unit 42 ATOMs feed, TAXII feed, etc.

    1. Go to Settings & Info → Settings → Integrations → Instances and in the Category field, select Threat Intel Feeds.

    2. Locate the relevant integration and select Add Instance.

    3. Set up the instance.

      In the Indicator Reputation field, blank.

    4. Test and save the instance,

  2. (Optional) Configure a playbook to filter indicators according to your requirements.

    For example, the TIM - Indicator Auto Processing playbook identifies indicators that shouldn’t be added to a block list, such as IP indicators that belong to business partners or important hashes you do not wish to process.

  3. Go to the Threat Intel page and run the following search to return IP addresses with the verdict malicious with high reliability:

    expirationStatus:active and type:IP and verdict:malicious and aggregatedReliablitiy:A - Completely reliable

  4. Configure the Generic Export Indicator Service integration.

    1. In the Instances page, search for Generic Export Indicators Service and Add instance.

    2. In the Indicator Query field, add the query in step 3.

    3. Add the remaining fields, test, and save.

  5. Test the EDL by running the Curl command: curl -v-u- user:pass https://ext-<tenant>crtx<region>.paloaltonetworks.com/xsoar/instance/execute/<instance-name>

    You can use this URL in your Next-Generation Firewall.

Incident Responders are receiving an endless stream of alerts, usually with little to no context of the external threat. Enriching alerts with curated threat intelligence from Unit 42 enables analysts to see the bigger picture and make more informed decisions when responding to alerts, ensuring comprehensive containment of the threat.

tim-usecase-2.png
  1. Use case management with Cortex XSOAR.

  2. Ensure indicator extraction is enabled.

  3. Configure threat feeds and enrichment sources, relevant to your use case. For example, Unit 42 ATOMs Feed, Feodo Tracker IP Blocklist Feed, TAXII Feed (to ingest ISAC data).

For example, configure the Palo Alto Networks Cortex XDR Investigation and Response integrations to ingest alerts from Cortex XDR. In the incidents page, open an incident from Cortex XDR. In the Case Info tab, you can see brief information, such as affected hosts, and affected users. In the Investigation tab, you can view the alert file artifacts or network artifacts. You can deep dive into the indicator by viewing the summary (verdict, sources, related incidents, timeline relationships, etc). In the Unit 42 Intel tab you can get additional details from Unit 42. For a file, you can see static and dynamic analysis. In the Work Plan, a playbook was run on whether an investigation is needed.

A new critical vulnerability is disclosed to the public which impacts the world's most popular applications (e.g. Log4J). The security team has already begun the search for the vulnerable software, however, the threat intel team needs to inform all technology employees of this critical threat. The intel team crafts a brief report summarizing the threat and adds analysis describing why this threat is relevant to the organization. This is also a great way to “advertise” the availability of threat intelligence services across the organization.

tim-usecase-3.png
  1. Ingest industry news events and security research blogs using the RSS Feed integration. E.g. threat post, Dark Reading, ZDNet security, Krebs on Security.

  2. (Optional) Define any custom report types and templates.

  3. Create a report.

In this example, you want to create a flash intel report about the Log4j security vulnerability, which will be sent to all internal stakeholders. You want to include the impact on the business with a brief analysis.

  1. Get the relevant RSS feeds by going to fields by going to Threat Intel → Indicators and searching for sourceBrankds: RSS Feed log4j.

  2. Start researching the Log4j issue by clicking the relevant entry.

  3. Create a report by selecting Threat Intel Reports → New Threat Intel Report.

  4. Complete the fields.

    Each report type has different fields. After you create the report you can update all fields.

  5. Create the report.

  6. Edit the fields as required.

    For example, you may want to add the RSS feeds to the relationship fields as well as the CVE file that it relates to.

  7. In the Overview/Summary section, to use the Markdown editor, click M.

    When finished, select Preview and then save.

  8. (Optional) Mark the report for review and send it to one of your colleagues for review.

  9. Publish the report which will be shared among a wider group.

    You have the option to share it via PDF for a wider reach.

The security team needs to perform due diligence, ensuring the organization has not been impacted by newly collected intelligence. Querying historical log data is a slow and tedious process for analysts (after acquisitions, organizations have multiple log stores). Additionally, running taxing historical queries is not possible during working hours, as compute resources are prioritized for SOC operations. The security team needs to automate this task during non-peak hours.

tim-usecase-4.png
  1. Configure feed integrations such as Unit 42 ATOMs feed, TAXII feed, etc.

  2. (Optional) Configure a playbook to filter indicators according to your requirements.

    For example, the TIM - Indicator Auto Processing playbook identifies indicators that shouldn’t be added to a block list, such as IP indicators that belong to business partners or important hashes you do not wish to process.

  3. Define the Triggered by delta in feed job to run that will trigger the playbook when the indicators are fetched.

  4. To push the processed indicators to a SIEM, use the TIM - Add All Indicators Types to SIEM playbook.

  5. Define a time-triggered job to push the indicators to the SIEM.