Playbook construction

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Playbook construction

L0 Member

I would like to ask the community if perhaps someone has created a playbook that takes in Snort/Suricata alert data. I am looking a creating a automated block process that will compare an IDS alert with a Threat notification from the PAN. If the src_ip, src_port, dst_ip, dst_port and timestamp match and the firewall took no action on the threat. Then I will add the external src_ip to the Indicators database, make Verdict "suspicious", set Expiration Date to 30 days, add both the IDS and Threat log data to "Comments" to show reason for block, tag the new entry as "block_external_ips", "ids" and "pan threat". So that it gets added to the EDL that will be picked up by the Firewall. It would be helpful if someone had an IDS related playbook that they would be willing to share to start this process. 

 

Thanks

1 REPLY 1

L2 Linker

Hey @jpadro, this seems like something that you could also raise as a feature request in our Aha portal, to have such a playbook (or more likely something a bit more generic).

Our R&D team is always happy to receive suggestions for playbooks and other content items.

The portal is https://xsoar.ideas.aha.io/, make sure to be as detailed as you can, and to not share any personal information as this is a public community.

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!