This website uses Cookies. By clicking Accept, you agree to the storing of cookies on your device to enhance your community experience. Read our Privacy Policy.
Click Preferences to customize your cookie settings.
Accept
Reject
Preferences

Automatic Incident Enrichment with XSOAR

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Please sign in to see details of an important advisory in our Customer Advisories area.

Automatic Incident Enrichment with XSOAR

JosephCosgrove
L1 Bithead
‎12-16-2022 06:43 AM

automatic-enrichment-xsoar.jpg

 

One of the challenges when performing a security investigation is the endless stream of alerts with little to no context. Analysts are  often overwhelmed, with too little time to separate the noise from the high-severity alerts. Automatic Incident enrichment with XSOAR speeds up the triage process and assists the analysts to make an informed decision by providing the bigger picture in a single pane of glass. 

 

Using what we’ve learned in the previous article, let's take a look at how indicators are automatically created, and enriched using the VirusTotal integration. 

 

Using what we’ve learned in the previous blog, Integrating Cortex XSOAR and VirusTotal for Maximum Incident Response and Investigation, let's take a look at how indicators are automatically created, and enriched using the VirusTotal integration. 

 

  1. Navigate to the incidents page, and click “New Incident.” With the new incident form open add some IOCs that you want to extract and enrich with the Virus Total integration. (I used some IP addresses from the abuse.ch feed for demonstration purposes, but you can use whatever you want.)
  2. For training purposes, leave the Incident Type set to Unclassified and use the default playbook. The details section should contain the Indicators of Compromise and data that you want to extract and enrich.

 

JosephCosgrove_0-1671135352540.png

 


Now that we have created the incident manually, you will see the indicators are automatically extracted and the reputation has been calculated using the Virus Total Integration. 

 

 

JosephCosgrove_1-1671135352612.png

 

Monitoring Integration API Usage and Enrichment Commands

 

Clicking on an indicator you can see the verdict, as well as the enrichment source. If you have configured any other sources besides Virus Total, they would appear here as well.

 

Lastly, you can monitor your API usage with the built-in API metrics dashboards on the homepage.

 

JosephCosgrove_2-1671135352659.png

 

JosephCosgrove_3-1671135352563.png

 

In Summary:

 

Automatic incident enrichment  leverages Indicator extraction in order to take different text sources in the system (such as War Room entries, email content, etc), extracts them (usually based on regex) and creates indicators in Cortex XSOAR. After extraction, the indicator can be enriched. Indicator enrichment takes the extracted indicator and provides detailed information about the indicator (from open ports to whois information, etc). It provides a story about the indicator, based on an enrichment feed such as VirusTotal, IPinfo, etc.

 

Note: There are several methods for performing indicator extraction. Some of which are less resource intensive than others and utilize less disk space (since you are only extracting what you specifically choose, Ex. the body of an email). I would suggest reading about the different modes using the incident type method as a starting point. Additionally, the Customer Success team has put together an excellent engineer training series that we highly recommend.

 

Cortex XSOAR 

Cortex XSOAR
Thumbnail of Cortex XSOAR
Palo Alto Networks
Cortex XSOAR
Security Operations
View on Product Page
  • 3783 Views
  • 0 comments
  • 2 Likes
Register or Sign-in
Labels
Popular Blogs
Top Liked Authors
View All
LEGAL NOTICES
RESOURCES
Khoros awards 2022
Copyright 2007 - 2024 - Palo Alto Networks