Cortex XSOAR Popular Packs

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Community Team Member

XSOAR Popular Packs blog.jpg

This blog written by Srikanth Ramesh.

 

 

Introduction

This blog will highlight a couple of the most downloaded packs in the XSOAR Marketplace. It will also provide a brief summary of these packs and why they are more commonly used. This could also help new customers to XSOAR with introduction adopt these packs and begin their automation journey.

 

Content Packs - XSOAR:

XSOAR can be divided into two (2) major components. Platform - Which is the base application that runs as a service on Linux and includes the UI ,DB, User management, Incidents and indicators. Content - This includes playbooks, automations, integrations, custom fields, reports, dashboards. Content is part of the application that runs on the platform. It enables users to customize XSOAR's look, feel and use - while not changing the platform.

 

The XSOAR Content Pack is a collection of various content items used to achieve a specific use case with the XSOAR system. Most content packs are created around integrations with a specific product, so such packs will have an integration for example, MITRE. Along with this it will also have custom fields, reports, dashboards, playbooks, automation. This will make it easier to integrate MITRE with your security goals.

We also have content packs not built around integrations, but around use cases such as Phishing or Malware investigation. These packs will of course need various integrations, however, the pack will make it simpler for you to build an entire use case in your SOC with various tools that you may have.

 

To begin with one of the most useful packs:

 

Pack 1: Phishing

The pack is primarily designed to help you handle a phishing email that slips through your perimeter controls such as email security. It is identified and reported by a user.

 

Different parts of the phishing pack can also process an alert from an email security solution that detects suspicious emails.

Email Secuirty Solutions.jpg

 

There are a lot of tools from the pack that can assist in identifying viruses and phishing emails based on their indicators. The machine learning model can help classify an email based on the source from which the email originated, the keywords in the emails, etc. Once this is identified this pack enables you to respond to the email by searching and deleting it and/or blocking the source at your perimeter to not receive such emails again.

 

The pack has an add-on which also detects and handles a campaign (which is a targeted attack on an organization).

Link to Phishing PackLink to more information on Phishing Pack | Link to Phishing Campaign pack

 

Pack 2: MITRE ATT&CK

MITRE ATT&CK pack includes an integration with the MITRE framework. With this integration you can download all MITRE techniques as indicators* in XSOAR or retrieve this information on a ad-hoc basis using command. This is when a technique is found in an incident. Based on the technique you can then link an incident to the technique in XSOAR. This can help analysts understand the attack and take relevant actions to mitigate it.

Incidents Dashboard Sample.jpg

 

There are also a dashboard which can give you a view on the number of incidents in each TACTIC. This is so that you can understand the strength of your detections and identify areas of improvement.

MITRE ATT&CK Techniques.jpg

 

Please note: Without a TIM License, there will be limitations on the number of indicators retrieved.

 

Link to MITRE ATT&CK Pack

 

Thank you for reading and welcome to the Automation journey.

  • 5028 Views
  • 0 comments
  • 0 Likes
Register or Sign-in
Labels
Top Liked Authors