ThreatConnect developed the Playbooks functionality to assist analysts automate time consuming and repetitive duties to allow them to give attention to what’s most essential. You can too talk with third-party companies to set off occasions outdoors of ThreatConnect.

Why Was the Playbook Created?

Menace intelligence is way reaching in as we speak’s extremely numerous and world infrastructure, we needed a option to set the wheels of AWS in movement primarily based on sure standards in TC. With AWS SNS you may have a single, dependable level of entry to start out AWS companies and ship person notifications, listed here are a couple of examples.

  • SMS
  • E mail
  • Cellular Push Notifications
  • Lambda Capabilities
  • SQS

We additionally launched the SNS TC Playbook app open supply to offer you a place to begin for the easy code required to increase the perfect TIP into the world’s largest cloud supplier.

What are some use instances?

  • Ship alerts to your IR workforce utilizing a number of strategies
  • Add an merchandise to a employee queue for later processing comparable to checking your person database for newly found spam accounts
  • Run a lambda operate to take a snapshot of a URL on the time the indicator is added to TC and affiliate a PDF again to that URL Indicator

How It Works

We’ve got included a pattern PlayBook within the GitHub repo referred to as “AWS-SNS-Integration-PlayBook.pbx” you could import straight into your ThreatConnect occasion.  

On this instance we use an Indicator Set off to start out the playbook when an Tackle Indicator is created.  We may have used any indicator kind or any motion on these indicators comparable to E mail Tackle deleted or when a tag is utilized to a Host.

address-indicator-threatconnect-playbook

So at any time when a brand new Tackle indicator is created in TC this PlayBook will begin executing the Ship SNS app.

attributes-threatassess-score

Right here now we have entry to varied attributes of the Tackle such because the tackle itself, the proprietor, the ThreatAssess rating, confidence ranking and a hyperlink again to the ThreatConnect particulars web page.

aws-workflow-threatconnect

This info is handed as much as SNS within the message parameter for later use in your AWS workflow.  We additionally log an “sns.debug” string variable that can present both the SNS MessageID or debugging info if the SNS name failed.  

For this demo I used an SNS subject that sends me an e mail with with the Tackle and the ThreatConnect Proprietor.

demo-aws-threatconnect

We hope this offers you inspiration to put in writing your individual PlayBooks and integrations, you could find extra info on this challenge’s GitHub web page or by trying on the ThreatConnect Developer Documentation.

Blissful Defending Your Community!

Learn the remainder of the Playbook Fridays weblog sequence:

Playbook Fridays: Find out how to Construct a Playbook in ThreatConnect

Playbook Fridays: Enriching Indicators with Shodan

The publish Playbook Fridays: Find out how to Management the Cloud with Playbooks appeared first on ThreatConnect | Enterprise Menace Intelligence Platform.

networkfights

Create Account



Log In Your Account