This is a sample script to parse the Cisco Talos blog (and other blogs!), check for Target Sightings and automatically add observables to Cisco Casebook. This enables Security Researchers and Threat Responders in a SOC to quickly see if the observables from Talos have been seen in their environment (by leveraging SecureX Threat Response (SxTR)).
{
"client_id": "<your_client_id>",
"client_secret": "<your_client_secret>",
"last_etag": "",
"last_modified": "",
"webex_access_token": "<your_webex_access_token>",
"webex_room_id": "<your_webex_room_id",
"url_feeds": [
{
"feed_name": "[Talos RSS Feed]",
"rss_url": "http://feeds.feedburner.com/feedburner/Talos",
"last_etag": "",
"last_modified": 0
},
...
}
pip3 install -r requirements.txt
python3.6 rss_feed_to_casebook.py
The internet contains many free sources of threat intelligence that can be used in addition to Cisco Talos. Using the SecureX Threat Response API, it is possible to harvest this and discover internal security events. There is a big community out there that shares new "observables" (e.g. IP addresses, domains, file hashes, etc.) related to new cyber attacks and malware campaigns. It is very important nowadays to stay up to date with all of these threats that are posing all over the world. It is widely known that there are not enough resources to be found to fill up every Security Operation Center (i.e. SOC). Therefore, many organizations struggle with coping with the massive amount of new type of attacks.
The Cisco Talos blog is a perfect example of one of those free sources of threat intelligence that can be found on the internet. Cisco Talos is Cisco's threat intelligence research group, and posts their findings on their blogs. However, who has the time to read all of these blog posts, check all of their security tools for hits, and take action on them? What about all of the other threat intelligence research group?
The attached Code Exchange submission contains a sample script to search the Talos blog for threat/malware related observables. It then checks for "Target Sightings" and automatically adds observables to SecureX Casebook. If there are any hits on internal targets, it will add a "HIGH PRIORITY" tag to the Case. It will also add the link to the original blog as description in the Case for reference of the analyst. It will also send a Webex Teams alert to a configured Space (e.g. the Space used by a SOC). The same script can also parse other blogs (e.g. FortiGuard and Unit42), and this enables organizations to gather other vendor's threat intelligence as well. This allows security researchers and threat responders in a SOC to quickly see if the observables from threat intelligence blogs have been seen in their environment by leveraging SecureX Threat Response API.
Screenshot of the Webex Teams Space that is used by the SOC:
Code Exchange Community
Get help, share code, and collaborate with other developers in the Code Exchange community.View Community