This website uses Cookies. By clicking Accept, you agree to the storing of cookies on your device to enhance your community and translation experience. Read our Privacy Policy.
Click Preferences to customize your cookie settings.
Accept
Reject
Preferences

Playbook of the Week: Automating Cortex XDR Investigation and Response

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Playbook of the Week: Automating Cortex XDR Investigation and Response

yle
L2 Linker
‎08-24-2022 08:51 AM

playbook-Cortex XDR-Investigation-response_PAN.jpg

 

When responding to a security incident, triage, analysis, enrichment and remediation all can be time consuming and error prone processes, especially when responding and managing these attacks requires security teams to reconcile data from multiple sources. Often, by doing so, valuable time is lost shuttling between screens and executing repeatable tasks while an attack continues to manifest. 

 

Today we’ll look at how SOC teams are able to utilize the best of both XDR’s extended endpoint threat detection and response with XSOAR’s workflow automation, orchestration and threat intelligence capabilities to become more effective using the Palo Alto Networks Cortex XDR — Investigation and Response content pack

 

Automating XDR Incident Response

 

Cortex XDR is a detection and response platform that natively integrates network, endpoint, and cloud data to stop sophisticated attacks. By standardizing the XDR incident response and automating response with the Cortex XDR — Investigation and Response content pack, Cortex XSOAR decreases the mean time to detect by automating the collection of enrichment data, and providing centralized tracking. The pack includes out-of-the-box Cortex XDR incident type views with incident fields and layouts to aid analyst investigations, which are all easily customizable to suit the needs of each unique organization.

 

 

Default Cortex XDR layout provided by the content packDefault Cortex XDR layout provided by the content pack

 

What Does the Cortex XDR - Investigation and Response Content Pack Do?

 

This content pack contains the Palo Alto Networks Cortex XDR Investigation and Response integration that enables direct execution of Cortex XDR actions within Cortex XSOAR. It also performs bidirectional incident updates between Cortex XDR and Cortex XSOAR. Plus, it enables the following workflows:

  • Device Control Violations — Fetch device control violations and enrich data from XDR incidents and communicate with the user to determine the reason the device was connected.
  • XDR Incident Handling — Compare similar incidents in Palo Alto Networks Cortex XDR and Cortex XSOAR, identify duplicate incidents, and update the incidents appropriately using the Cortex XDR Incident Handling v3 playbook (as seen in image 2 below).
  • Threat Hunting And Detection — Extract IOCs from the investigation and run them across the organization to check if there are any other compromised accounts or endpoints with the same information that was detected in this alert.
  • AWS User Access Investigation — Investigates and responds to Cortex XDR Cloud alerts where an AWS user's access key is used suspiciously to access the cloud environment.
  • Enhanced Threat Detection with IOC Synchronization — Operationalize threat intelligence feeds and ensure the detection and response controls are leveraging the threat Intel feeds to push IOCs to XDR to enable better threat detection.

 

For more details on all the different playbooks options available within the XDR and XSOAR content pack, check out the blog “XDR + XSOAR: A Dynamic Duo”.

 

The playbooks included in this pack help you save time and keep your incidents in sync. They also help automate repetitive tasks associated with Cortex XDR incidents, such as:

 

  • Syncs and updates Cortex XDR incidents.
  • Triggers a sub-playbook to handle each alert by type.
  • Extracts and enriches all relevant indicators from the source alert.
  • Hunts for related IOCs.
  • Calculates the severity of the incident.
  • Interacts with the analyst to choose a remediation path or close the incident as a false positive based on the gathered information and incident severity.
  • Remediates the incident by blocking malicious indicators and isolating infected endpoints.

 

It is without a doubt that the Cortex portfolio of products is designed to make the life of a security analyst better, faster and more efficient when it comes to detecting and responding to today’s security threats. The beautiful thing about the Cortex family of products is the ability to use each platform in conjunction with one another for maximum results. 

 

Watch the video below for a detailed overview of the XDR and XSOAR Integration. For more information on the Cortex XDR Content Pack, visit our Cortex XSOAR Developer Docs.

 

 

 

 

Don’t have Cortex XSOAR? Download our free Community Edition today to test out this playbook and hundreds more automations for common use cases you deal with daily in your security operations or SOC. 

 

 

Please Suggest Other Ideas or Vote!

If you like these ideas or would like to suggest other ideas, please collaborate with us through the Cortex XSOAR Aha page.

 

Labels:
0 Likes Likes
  • 3537 Views
  • 0 comments
  • 0 Likes
Register or Sign-in
Labels
Popular Blogs
Top Liked Authors
View All
LEGAL NOTICES
RESOURCES
Khoros awards 2022
Copyright 2007 - 2024 - Palo Alto Networks