aarrateg/SXO-Umbrella-Third-Party-IOC-Investigation

Features

The workflow takes a JSON file from the web, which is the description of a threat feed, including observables, and automatically parses it and processes it through Threat Response.
The source JSON file is formatted according MISP (https://www.misp-project.org/), which is a well known format for sharing threat information.
Particular attention is given to the observables which are NOT known as malicious by the Security products which are integrated in Threat Response. In fact, the 3rd party feed might contain a threat indication which is not yet known to Talos, and therefore not blocked. That's why the workflow is named "False Negative Check".
In case there are observables which are not yet known as malicious, they are stored in a new Casebook. In this case, a further analysis is done, to find if there are any affected targets: in this case, a new Incident is created.

Here are the workflow steps:

Get Indicators - Make a generic http request to a web hosted IOC JSON file in MISP format, parse it and store the indicators.
Parse IOCs - Parse the observable types, using SecureX Threat Response Inspect API.
Enrich Observables - with SecureX Threat Response Enrich API to find any global sightings (in integrated threat feeds) and more importantly local sightings/targets (in integrated security modules like Umbrella, AMP, etc.). Filter what is considered NOT malicious, and store these observables in a table. (Note: focusing on NON malicious IoCs here, because we are assuming that the malicious ones have already been blocked by the security products, and we want to investigate on unknown threats, instead.)
Create Casebook - Format the observables in the right JSON, and use CTR to create a new casebook.
Create Incident - If there are targets in the network, also create an Incident and link it to the Casebook.

The Casebook creation and the Incident creation will also be notified to Webex Teams, with all the details of the observable and the targets found.

Note: Please test this properly before implementing in a production environment. This is a sample workflow!

An HTTPS target hosting the JSON file to be fetched. In the sample, a target named "Dropbox" is being used.
CTR_For_Access_Token (default)
CTR_API (default)
Webex Teams

Browse to your SecureX orchestration instance. This will be a different URL depending on the region your account is in:

In the left hand menu, select Variables.
Configure the required global variables, as listed in the section Required Global Variables above:

Webex Teams Room. String Containing the Webex Room where alerts should be pushed.

In the left pane menu, select Workflows. Click on IMPORT to import the workflow.

Make sure to import all the Atomic action listed above, in the section named Required Atomic Workflows. Please don't use IMPORT AS A NEW WORKFLOW (CLONE), because you need to make sure that the main workflow finds the original atomic actions identifiers.

In the left pane menu, select Workflows. Click on IMPORT to import the workflow.

Click on Browse and copy paste the content of the False Negative Check-MispFeed.json file inside of the text window. Select IMPORT AS A NEW WORKFLOW (CLONE) and click on IMPORT.

Configure the required targets and accounts, as listed in the sections Required Targets above.

Configure the required targets and accounts, as listed in the sections Required Account Keys above.

Make sure that the HTTPS server that you're using in the very first action contains a JSON file describing the threat feed, formatted according to MISP standard. A sample file can be found in this repository, as sample-observable-feed.json.

Please test this properly before implementing in a production environment. This is a sample workflow!

Pier Paolo Glave, Aritz Arrate Galan, Mickael Pontoizeau, Juan Miguel Aguayo
(Cisco)