This blog written by Srikanth Ramesh.
This blog will highlight a couple of the most downloaded packs in the XSOAR Marketplace. It will also provide a brief summary of these packs and why they are more commonly used. This could also help new customers to XSOAR with introduction adopt these packs and begin their automation journey.
Content Packs - XSOAR:
XSOAR can be divided into two (2) major components. Platform - Which is the base application that runs as a service on Linux and includes the UI ,DB, User management, Incidents and indicators. Content - This includes playbooks, automations, integrations, custom fields, reports, dashboards. Content is part of the application that runs on the platform. It enables users to customize XSOAR's look, feel and use - while not changing the platform.
The XSOAR Content Pack is a collection of various content items used to achieve a specific use case with the XSOAR system. Most content packs are created around integrations with a specific product, so such packs will have an integration for example, MITRE. Along with this it will also have custom fields, reports, dashboards, playbooks, automation. This will make it easier to integrate MITRE with your security goals.
We also have content packs not built around integrations, but around use cases such as Phishing or Malware investigation. These packs will of course need various integrations, however, the pack will make it simpler for you to build an entire use case in your SOC with various tools that you may have.
To begin with one of the most useful packs:
Pack 1: Phishing
The pack is primarily designed to help you handle a phishing email that slips through your perimeter controls such as email security. It is identified and reported by a user.
Different parts of the phishing pack can also process an alert from an email security solution that detects suspicious emails.
There are a lot of tools from the pack that can assist in identifying viruses and phishing emails based on their indicators. The machine learning model can help classify an email based on the source from which the email originated, the keywords in the emails, etc. Once this is identified this pack enables you to respond to the email by searching and deleting it and/or blocking the source at your perimeter to not receive such emails again.
The pack has an add-on which also detects and handles a campaign (which is a targeted attack on an organization).
Link to Phishing Pack | Link to more information on Phishing Pack | Link to Phishing Campaign pack
Pack 2: MITRE ATT&CK
MITRE ATT&CK pack includes an integration with the MITRE framework. With this integration you can download all MITRE techniques as indicators* in XSOAR or retrieve this information on a ad-hoc basis using command. This is when a technique is found in an incident. Based on the technique you can then link an incident to the technique in XSOAR. This can help analysts understand the attack and take relevant actions to mitigate it.
There are also a dashboard which can give you a view on the number of incidents in each TACTIC. This is so that you can understand the strength of your detections and identify areas of improvement.
Please note: Without a TIM License, there will be limitations on the number of indicators retrieved.
Link to MITRE ATT&CK Pack
Thank you for reading and welcome to the Automation journey.