.. _DTonomy Playbooks: ===================== Playbooks ===================== ######################## SIEM ######################## ------------------------------------------- Analysis-Enrich Sumologic with ThreatCrowd ------------------------------------------- * Description: Enrich Sumlogic results w/ ThreatCrowd results * Integrations: Sumologic, ThreatCrowd ------------------------------------------ Analysis- Enrich Sumologic With VirusTotal ------------------------------------------ * Description: Enrich Sumlogic results w/ VirusTotal results * Integrations: Sumologic, VirusTotal --------------------------------------- Analysis-Sumologic Compromised Account --------------------------------------- * Description: Extract compromised accounts, fined associated IPs then submit to various threat intelligence services for analysis * Integrations: Sumologic, VirusTotal, Whois, ASN ------------------------------------------ Analysis-Sumologic Misuse Account ------------------------------------------ * Description: Extract misused accounts, fined associated IPs then submit to various threat intelligence services for analysis * Integrations: Sumologic, VirusTotal, Whois, ASN ------------------------------------------------------------- Ingestion-Import Elastic Security Detections ------------------------------------------------------------- * Description: Import Security Detections from Elastic Search * Integrations: Elasticsearch, DTonomy --------------------------------------------------- Ingestion-Import Wazuh Detections --------------------------------------------------- * Description: Import Security Detections From Wazuh * Integrations: Wazuh, DTonomy ------------------------------------------------------------- IR-Enrich Sumologic with VirusTotal and Export to Spreadsheet ------------------------------------------------------------- * Description: Enrich Sumlogic results w/ VirusTotal results, then export to a csv to Google Sheet * Integrations: Sumologic, VirusTotal, Google Docs ----------------------------------------------------------- IR-Enrich Sumologic User Detection with Vulnerability Check ----------------------------------------------------------- * Description: Enrich Sumologc results w/ Shodan results * Integrations: Sumologic, Shodan ------------------------------------- Response-Compromised Account Alert ------------------------------------- * Description: Receive a reported compromised account, delete it from AWS IAM and notify admin by email * Integration: AWS, Email ------------------------------------- Response-Misuse Account Alert ------------------------------------- * Description: Receive a reported misused account, delete it from AWS IAM and notify admin by email * Integration: AWS, Email ######################## Email ######################## ------------------------------------- Analysis-Phishing Email ------------------------------------- * Description: Standard workflow that retrieves the phishing email, extracts artifacts and submit to various threat intelligence sites for analysis * Integration: Email, UrlScan.io, ASN, HybridAnalysis, VirusTotal, Haveibeenpwned ---------------------------------------------------- Analysis-Phishing Email with PDF Decryption ---------------------------------------------------- * Description: Same as standard phishing email playbook above, w/ extra step of decrypting attached pdf and submit for file analysis * Integration: Email, UrlScan.io, HybridAnalysis, VirusTotal, Haveibeenpwned --------------------------------------------------- Analysis-Comprehensive Phishing Response Workflow --------------------------------------------------- * Description: Similar as standard phishing email playbook above, w/ extra step of decode encoded URLs w/ ProofPoint Encoder * Integration: ProofPoint, Email, UrlScan.io, HybridAnalysis, VirusTotal, Haveibeenpwned ------------------------------------- IR-Phishing Email Response with Yara ------------------------------------- * Description: Retrieve reported phishing email, create YARA rules based on the content, and also upload to Splunk * Integration: Yara, Email, Splunk --------------------------------------------- IR-Comprehensive Phishing Response Workflow --------------------------------------------- * Description: Retrieve reported phishing email, create YARA rules if the content is malware related, otherwise follow standard phishing email play as above * Integration: Email, UrlScan.io, ASN, HybridAnalysis, VirusTotal, Haveibeenpwned, Yara ------------------------------------- Response-Report Phish to Microsoft ------------------------------------- * Description: Fwd a reported phishing email to Microsoft Phishing report email address * Integration: Email ------------------------------------- Response-Report Spam to Microsoft ------------------------------------- * Description: Fwd a reported spam email to Microsoft Spam report email address * Integration: Email ------------------------------------- Utility-Delete Outlook Email ------------------------------------- * Description: Demo how to delete an email from Outlook * Integration: Outlook ------------------------------------- Utility-Forward Email as Attachment ------------------------------------- * Description: Retrieve an email then fwd it as an attached eml * Integration: Email ------------------------------------- Utility-Forward Email with Attachment ------------------------------------- * Description: Retrieve an email w/ attachments, then fwd it to another email inbox * Integration: Email ------------------------------------- Utility-Read Email Attachment ------------------------------------- * Description: Demo how to parse each attachment of a retrieved email * Integration: Email ######################## Cloud ######################## ------------------------------------- Response-AWS Block Ip ------------------------------------- * Description: Demo how to block ips from access an AWS VPC * Integration: AWS ------------------------------------- Ingestion-AWS CloudTrail ------------------------------------- * Description: Demo how to retrieve AWS CloudTrail events * Integration: AWS ------------------------------------- Utility-AWS Invoke Lambda ------------------------------------- * Description: Demo how to run AWS lambda function * Integration: AWS ------------------------------------------ Response-AWS VPC Create Security Group ------------------------------------------ * Description: Demo how to create a Security Group in AWS * Integration: AWS ------------------------------- Compliance-Audit User ------------------------------- * Description: List IAM instance profile once a week, iterate the EC2 instance with IAM Profile Association and check if association should be removed * Integration: AWS ######################## Endpoint ######################## ------------------------------------- API Mocker-Carbon Black ------------------------------------- * Description: Mimic a Carbon Black REST web API ------------------------------------------------------------------- Response-Retrieve Carbon Black Alerts and Create Jira Issue ------------------------------------------------------------------- * Description: Get Carbon Black scan result and create a JIRA ticket * Integrations: Carbon Black, Jira ----------------------------------------------- Analysis-Enrich CrowdStrike with SIEM ----------------------------------------------- * Description: Retrieve end point detections and correlate them with recent activity for this user and ip on other detections generated by SIEM * Integrations: Crowdstrike, Sumologic ----------------------------------------------- Response-Block Ip on Azure ----------------------------------------------- * Description: Block Ip on Azure * Integrations: Azure ----------------------------------------------- Response-Block Ip on Fortinet ----------------------------------------------- * Description: Block Ip on Fortinet * Integrations: Fortinet ----------------------------------------------- Response-Block Ip on Endgame ----------------------------------------------- * Description: Block Ip on Endgame * Integrations: Endgame ######################## Network ######################## ----------------------------------------------- Analysis-Collect user Info From Pastebin ----------------------------------------------- * Description: Find PasteBin urls reported in emails; from PasteBin find possible mention of certain types of user names, match w/ internal LDAP server. If any matches, fire alert and send email notification * Integration: Gmail, LDAP ------------------------------------- Analysis-Enrich IP with Threatcrowd ------------------------------------- * Description: example how to submit IP to ThreadCrowd * Integration: ThreatCrowd ------------------------------------- Analysis-Import CISCO Meraki Alert ------------------------------------- * Description: Import CISCO Meraki Alerts * Integration: Meraki ------------------------------------- Analysis-Network Traffic Alert ------------------------------------- * Description: Get Ips from Network Alerts, then submit each to various threat intelligence services to enrich the data and archive * Integration: VirusTotal, WhoIs, ASN ------------------------------------------------------------------------------ IR-Enrich Sumologic Network Alerts with Threat Intelligence and Vulnerability ------------------------------------------------------------------------------ * Description: Retrieve security alerts from Sumologic, leveraging whois information to get abuse email accounts, and send a summarized information to abuse email accounts. * Integration: Sumologic, Whois, Email ----------------------------------------------------------------- IR-Enrich Sumologic Network Attack with whois and Send Email ----------------------------------------------------------------- * Description: Get top 10 Ips from cyber attacks, find out each IP's abuse contact email then report * Integration: Sumologic, Whois ------------------------------------------------- Response-Block Ip and Log Actions to Sumologic ------------------------------------------------- * Description: Block Sumologic Ips and write logs to Sumologic * Integration: Sumologic, Aws ------------------------------------- Response-Network Alert Escalation ------------------------------------- * Description: Receive a network alert and file a ticket based on its info * Integration: ServiceNow, Email ------------------------------------- Response-Block Ip Azure ------------------------------------- * Description: Block Ip on Azure * Integrations: Azure ######################## Vulnerability ######################## ----------------------------------------------- Analysis-Network Alert With Vulnerability ----------------------------------------------- * Description: Submit Network Alert's IP to Shodan to find vulnerabilities * Integrations: Sumologic, Shodan ------------------------------------------ Analysis-Notify Owner to Fix Vulnerability ------------------------------------------ * Description: Receive a submitted vulnerability alert; use its IP to file ServiceNow ticket and send an email notification * Integrations: ServiceNow, Email ------------------------------------------------------ Response-Retrieve Nessus Scan and Create Jira Ticket ------------------------------------------------------ * Description: Create a JIRA ticket from a Tenable.IO scan result * Integration: Tenable.IO, JIRA ------------------------------------- Utility-Nexpose Example ------------------------------------- * Description: Examples of using 4 Nexpose nodes * Integrations: Rapid7 Nexpose, LDAP ######################## Other ######################## ------------------------------------------ DLP-Data Leaking Protection Validation ------------------------------------------ * Description: Compared received alert email w/ known leaked event id and send alert if a match * Integration: Email ------------------------------------- Intelligence-Build Intelligence ------------------------------------- * Description: Demo how to build intelligence w/ BitBucket Web API * Integration: BitBucket ------------------------------------- Analysis-End To End User Alert ------------------------------------- * Description: Demo how to set incoming alert to global context ------------------------------------- Notifications-Microsoft Teams ------------------------------------- * Description: Demo how to communicate w/ Microsoft Teams * Integration: Microsoft Teams ------------------------------------- Report-Shadow Server ------------------------------------- * Description: Extract URLs from incoming email, download linked csvs from those URLs and enrich results w/ IP info * Integrations: Email ------------------------------------- Response-Auto Report To Microsoft ------------------------------------- * Description: Report a received alert to Microsoft reporting email address * Integration: Microsoft Website ------------------------------------- Response-Create ServiceNow Ticket ------------------------------------- * Description: Convert a reported alert to ServiceNow ticket * Integration: ServiceNow ------------------------------------- Response-Get Abuse Domains Whois ------------------------------------- * Description: Find WhoIs info for reported domains * Integration: WhoIs ------------------------------------- Response-Report Abuse Whois ------------------------------------- * Description: From reported domain's WhoIs info find abuse reporting email address, then notify that email address * Integration: WhoIs, Email ------------------------------------- Response-Warn User ------------------------------------- * Description: Send a warning email to user based on received alert * Integration: Email ------------------------------------- Utility-Alexa Ranking ------------------------------------- * Description: Demo how to retrieve Alexa Ranking for a domain * Integration: Alexa ----------------------------------------------- Utility-Automating Interactive Applications ----------------------------------------------- * Description: Demo how to run a command in a remote machine * Integration: SSH ------------------------------------- Utility-Create Ticket ------------------------------------- * Description: Fire a ServiceNow ticket based on received alert * Integration: ServiceNow ------------------------------------- Utility-Install Python Module ------------------------------------- * Description: Demo how to install a python module in host machine * Integration: Python ------------------------------------- Utility-OTX Example ------------------------------------- * Description: Demo how to use OTX to check malicious files/domains/Ips/urls * Integration: OTX ------------------------------------- Utility-Parallel Computation ------------------------------------- * Description: Demo how to implement parallel branches in workflow ------------------------------------- Utility-Perl Example ------------------------------------- * Description: Demo how to run a Perl script in host machine * Integration: Perl ------------------------------------- Utility-Python Processor ------------------------------------- * Description: Demo how to run a Python script in host machine * Integration: Python ------------------------------------- Utility-Update Ticket ------------------------------------- * Description: Demo how to update a ServiceNow ticket based on a received alert * Integration: ServiceNow ------------------------------------- Utility-Wait For Actions ------------------------------------- * Description: Demo how to use Delay node to implement a Wait Loop in workflow ------------------------------------- Utility-Write To Google Sheet ------------------------------------- * Description: Demo how to write to Google Sheet * Integration: Google Docs ------------------------------------- Utility-GSuite ------------------------------------- * Description: Demo how to invoke GSuite Web API * Integration: GSuite