This workflow will automate inside the SecureX Orchestrator the investigation based on the IOCs published weekly by Talos Threat Roundup blog to understand whether there has been an impact of one of those threats in your environment.
Simplify threat hunting: Give the ability to security analyst to investigate most prevalent threats that Talos has observed over the current week and converts it into a SecureX casebook
SOC task automation: This workflow can be scheduled to periodically run at Talos Blog publish date so that investigation could be carried out immediatly upon blog availability
Every Friday evening, US time, Talos is publishing a glimpse into the most prevalent threats they have observed over the current week.
For each threat described in the weekly roundup blog, an accompanying JSON file can be retrieved making an https request to Talos Roundup hosted IOCs that includes the complete list of file hashes, as well as all other IOCs from the post. The https request will be directed to the following resource:
https://s3.amazonaws.com/talos-intelligence-site/production/document_files/files/000/095/<URL_ID>/original/YYYYMMDD-tru.json.txt
where DD stands for the calendar day of the publication (remember, always on Fridays!). For instance, the JSON file containing all the IOCs related to the most prevalent threats they have observed between Jul. 16th and Nov. 23rd will have the following link:
where the <URL_ID> assigned by TALOS to this pubblication is 597.
The <URL_ID> will increment each week. The workflow will automatically increase the <URL_ID> and check if the URL is valid. Once the valid <URL_ID> is found out, this is recorded in the SecureX Orchestrator global variable Talos_URL_ID, so that it will remembered the week after for the next run starting from the stored Talos_URL_ID value.
Option through GitHub repository (please configure the Git Repository with the Cisco Code Exchange -> Explore -> Repository where the workflow is published)
Option Paste JSON or upload the workflow to import
Please note that these values have (required) defaults in the variables defined in the workflow properties. You can change the defaults there.
max_number_retry_iterations is the max number of retries the workflow does in case the IOCs have not been published for the week. Between each retry, the workflow will sleep for retry_interval. When the max_number_retry_iterations is reached, the workflow send a notification and quits. The workflow will then be activated at the next schedule trigger.
retry_interval is the sleep time between each retry (in seconds)
webex_bot_token, you can specify a different Webex Teams Bot token in case you would not like to use the configured one
email_recipients, comma separated, in order to send notifications
talos_blog_uri, please insert manually here the URI of the IOCs of a specific Talos Roundup
webex_room_name, to specify the name of the Webex Teams room. Please note that if a room does not exists with the provided name, then it will be created.
Then click RUN.
if you wish to run again the workflow against a past Talos Roundup blog, first modify the global variable Talos_URL_ID and detract 50 to the current value. For instance, if the current value for the Global Variable Talos_URL_ID is 550, then change it and 500:
Then change it to 500
Through a Schedule trigger, we program the workflow to start every Friday evening (schedule trigger description is outside of this README file, just follow the Schudule capability that SecureX Orchestrator offers in order to do so). The option also exists to enter manually a Blog URI in case we wish to run the workflow against a past published blog.
Once the workflow starts, first step will be to build the URI of the blog for the current week, then do an https request to retrieve the JSON file describing the threats and IOCs.
In case the URI resource (JSON file) is not published yet, a retry mechanism is implemented in the workflow to check every certain period of time (configurable) whether the Json file has become available.
Once the JSON file becomes available, an https request is carried out to retrieve the IOCs, some clean up is done and the threats and their associated description and IOCs are stored in a table.
A Communication is sent via email and webex team message to inform that the automatic investigation has started, together with a summary of the threats identified and their respective description.
Then for each Threat, IOCs are extracted from the JSON file and parsed.
The verdict of the IOCs is checked and those with Clean Verdict are omitted from the Investigation in order to reduce False positives.
Then the actual investigation is launched through the enrichment process based on the final list of IOCs - denoting the current analyzed threat, against the customer integrated Security solutions and Intelligence Sources (Public and Private)
For each Security module that has answered (and contributed) during the enrichment process the returned information is checked to determine whether the customer environment has been impacted - For this we run a loop through each Security module that replied back during the enrichment process, and for each target reported, we post on webex teams and send an email providing preliminary information such as Target information, Security Module that provided the information, sightings.
Once we have processed all Security modules and if we do have targets in the customer environment related to the current investigated threat, a new casebook is then created with all the IOCs related to the threat, and the Casebook link and ID is shared through posting in webex teams and via email.
In case targets have not been found, an information message is sent out in any case.
https://www.youtube.com/watch?v=5ZchL_qsRPc
Please send your comments and suggestions to Nicola (pfiano@cisco.com)
Security teams are often too focused on dealing with daily incident response fires to dedicate time to proactive and scheduled threat hunting operations to catch emerging threats in their environments. Even when they have enough time to execute threat hunting exercises, correlating intelligence from multiple threat feeds unfortunately is a manual, repetitive exercise that does not leave enough time for decision-making.
As we all know, Every Friday evening, US time, Talos is publishing a glimpse into the most prevalent threats they have observed over the current week.
As a SOC analyst following religiously those blogs, you would first want to understand whether there has been an impact of one of those threats in your environment. Questions immediately arise: Have we seen these observables? Are these observables suspicious or malicious? Which endpoints have the malicious files or have connected to a domain or URL? What can I do about it right now?
Can we automate all of this? The answer is yes!
Traditionally, Security analysts would have a “swivel chair” approach to such investigation, employing a sequence of manual actions and carrying out the manual correlation of the information gathered throughout the investigation. Thanks to the Orchestration capabilities provided by SecureX and the TALOS Weekly Roundup Blog Investigation workflow, Security teams can now schedule this workflow to execute.
By replacing low-level manual tasks with corresponding automations, this workflow can shave off large chunks from incident response times while also improving accuracy and Security analyst satisfaction
Since low-level tasks are automated and processes are standardized with this workflow when investigation the most prevalent threats that Talos has reported during the current week, analysts can spend their time in more important decision-making and charting future security improvements rather than getting mired in grunt work.
By automating repeatable actions and minimizing console-switching, security orchestration enables customer security teams to coordinate among multiple products easily and extract more value out of existing security investments.
Through step-wise, replicable workflows, like this one, security orchestration can help standardize incident enrichment and response processes that increases the baseline quality of response and is primed for scale.
The sum of all aforementioned benefits is an overall improvement of the customer security posture and a corresponding reduction in security and business risk.
https://developer.cisco.com/learning/modules/SecureX-orchestration
Owner
Contributors
Categories
Programming Languages
License
Code Exchange Community
Get help, share code, and collaborate with other developers in the Code Exchange community.View Community