Playbooks¶
SIEM¶
Analysis-Enrich Sumologic with ThreatCrowd¶
- Description:
Enrich Sumlogic results w/ ThreatCrowd results
- Integrations:
Sumologic, ThreatCrowd
Analysis- Enrich Sumologic With VirusTotal¶
- Description:
Enrich Sumlogic results w/ VirusTotal results
- Integrations:
Sumologic, VirusTotal
Analysis-Sumologic Compromised Account¶
- Description:
Extract compromised accounts, fined associated IPs then submit to various threat intelligence services for analysis
- Integrations:
Sumologic, VirusTotal, Whois, ASN
Analysis-Sumologic Misuse Account¶
- Description:
Extract misused accounts, fined associated IPs then submit to various threat intelligence services for analysis
- Integrations:
Sumologic, VirusTotal, Whois, ASN
Ingestion-Import Elastic Security Detections¶
- Description:
Import Security Detections from Elastic Search
- Integrations:
Elasticsearch, DTonomy
Ingestion-Import Wazuh Detections¶
- Description:
Import Security Detections From Wazuh
- Integrations:
Wazuh, DTonomy
IR-Enrich Sumologic with VirusTotal and Export to Spreadsheet¶
- Description:
Enrich Sumlogic results w/ VirusTotal results, then export to a csv to Google Sheet
- Integrations:
Sumologic, VirusTotal, Google Docs
IR-Enrich Sumologic User Detection with Vulnerability Check¶
- Description:
Enrich Sumologc results w/ Shodan results
- Integrations:
Sumologic, Shodan
Response-Compromised Account Alert¶
- Description:
Receive a reported compromised account, delete it from AWS IAM and notify admin by email
- Integration:
AWS, Email
Response-Misuse Account Alert¶
- Description:
Receive a reported misused account, delete it from AWS IAM and notify admin by email
- Integration:
AWS, Email
Email¶
Analysis-Phishing Email¶
- Description:
Standard workflow that retrieves the phishing email, extracts artifacts and submit to various threat intelligence sites for analysis
- Integration:
Email, UrlScan.io, ASN, HybridAnalysis, VirusTotal, Haveibeenpwned
Analysis-Phishing Email with PDF Decryption¶
- Description:
Same as standard phishing email playbook above, w/ extra step of decrypting attached pdf and submit for file analysis
- Integration:
Email, UrlScan.io, HybridAnalysis, VirusTotal, Haveibeenpwned
Analysis-Comprehensive Phishing Response Workflow¶
- Description:
Similar as standard phishing email playbook above, w/ extra step of decode encoded URLs w/ ProofPoint Encoder
- Integration:
ProofPoint, Email, UrlScan.io, HybridAnalysis, VirusTotal, Haveibeenpwned
IR-Phishing Email Response with Yara¶
- Description:
Retrieve reported phishing email, create YARA rules based on the content, and also upload to Splunk
- Integration:
Yara, Email, Splunk
IR-Comprehensive Phishing Response Workflow¶
- Description:
Retrieve reported phishing email, create YARA rules if the content is malware related, otherwise follow standard phishing email play as above
- Integration:
Email, UrlScan.io, ASN, HybridAnalysis, VirusTotal, Haveibeenpwned, Yara
Response-Report Phish to Microsoft¶
- Description:
Fwd a reported phishing email to Microsoft Phishing report email address
- Integration:
Response-Report Spam to Microsoft¶
- Description:
Fwd a reported spam email to Microsoft Spam report email address
- Integration:
Utility-Delete Outlook Email¶
- Description:
Demo how to delete an email from Outlook
- Integration:
Outlook
Utility-Forward Email as Attachment¶
- Description:
Retrieve an email then fwd it as an attached eml
- Integration:
Utility-Forward Email with Attachment¶
- Description:
Retrieve an email w/ attachments, then fwd it to another email inbox
- Integration:
Utility-Read Email Attachment¶
- Description:
Demo how to parse each attachment of a retrieved email
- Integration:
Cloud¶
Response-AWS VPC Create Security Group¶
- Description:
Demo how to create a Security Group in AWS
- Integration:
AWS
Compliance-Audit User¶
- Description:
List IAM instance profile once a week, iterate the EC2 instance with IAM Profile Association and check if association should be removed
- Integration:
AWS
Endpoint¶
Response-Retrieve Carbon Black Alerts and Create Jira Issue¶
- Description:
Get Carbon Black scan result and create a JIRA ticket
- Integrations:
Carbon Black, Jira
Analysis-Enrich CrowdStrike with SIEM¶
- Description:
Retrieve end point detections and correlate them with recent activity for this user and ip on other detections generated by SIEM
- Integrations:
Crowdstrike, Sumologic
Network¶
Analysis-Collect user Info From Pastebin¶
- Description:
Find PasteBin urls reported in emails; from PasteBin find possible mention of certain types of user names, match w/ internal LDAP server. If any matches, fire alert and send email notification
- Integration:
Gmail, LDAP
Analysis-Enrich IP with Threatcrowd¶
- Description:
example how to submit IP to ThreadCrowd
- Integration:
ThreatCrowd
Analysis-Network Traffic Alert¶
- Description:
Get Ips from Network Alerts, then submit each to various threat intelligence services to enrich the data and archive
- Integration:
VirusTotal, WhoIs, ASN
IR-Enrich Sumologic Network Alerts with Threat Intelligence and Vulnerability¶
- Description:
Retrieve security alerts from Sumologic, leveraging whois information to get abuse email accounts, and send a summarized information to abuse email accounts.
- Integration:
Sumologic, Whois, Email
IR-Enrich Sumologic Network Attack with whois and Send Email¶
- Description:
Get top 10 Ips from cyber attacks, find out each IP’s abuse contact email then report
- Integration:
Sumologic, Whois
Response-Block Ip and Log Actions to Sumologic¶
- Description:
Block Sumologic Ips and write logs to Sumologic
- Integration:
Sumologic, Aws
Response-Network Alert Escalation¶
- Description:
Receive a network alert and file a ticket based on its info
- Integration:
ServiceNow, Email
Vulnerability¶
Analysis-Network Alert With Vulnerability¶
- Description:
Submit Network Alert’s IP to Shodan to find vulnerabilities
- Integrations:
Sumologic, Shodan
Analysis-Notify Owner to Fix Vulnerability¶
- Description:
Receive a submitted vulnerability alert; use its IP to file ServiceNow ticket and send an email notification
- Integrations:
ServiceNow, Email
Response-Retrieve Nessus Scan and Create Jira Ticket¶
- Description:
Create a JIRA ticket from a Tenable.IO scan result
- Integration:
Tenable.IO, JIRA
Utility-Nexpose Example¶
- Description:
Examples of using 4 Nexpose nodes
- Integrations:
Rapid7 Nexpose, LDAP
Other¶
DLP-Data Leaking Protection Validation¶
- Description:
Compared received alert email w/ known leaked event id and send alert if a match
- Integration:
Intelligence-Build Intelligence¶
- Description:
Demo how to build intelligence w/ BitBucket Web API
- Integration:
BitBucket
Notifications-Microsoft Teams¶
- Description:
Demo how to communicate w/ Microsoft Teams
- Integration:
Microsoft Teams
Report-Shadow Server¶
- Description:
Extract URLs from incoming email, download linked csvs from those URLs and enrich results w/ IP info
- Integrations:
Response-Auto Report To Microsoft¶
- Description:
Report a received alert to Microsoft reporting email address
- Integration:
Microsoft Website
Response-Create ServiceNow Ticket¶
- Description:
Convert a reported alert to ServiceNow ticket
- Integration:
ServiceNow
Response-Get Abuse Domains Whois¶
- Description:
Find WhoIs info for reported domains
- Integration:
WhoIs
Response-Report Abuse Whois¶
- Description:
From reported domain’s WhoIs info find abuse reporting email address, then notify that email address
- Integration:
WhoIs, Email
Response-Warn User¶
- Description:
Send a warning email to user based on received alert
- Integration:
Utility-Alexa Ranking¶
- Description:
Demo how to retrieve Alexa Ranking for a domain
- Integration:
Alexa
Utility-Automating Interactive Applications¶
- Description:
Demo how to run a command in a remote machine
- Integration:
SSH
Utility-Create Ticket¶
- Description:
Fire a ServiceNow ticket based on received alert
- Integration:
ServiceNow
Utility-Install Python Module¶
- Description:
Demo how to install a python module in host machine
- Integration:
Python
Utility-OTX Example¶
- Description:
Demo how to use OTX to check malicious files/domains/Ips/urls
- Integration:
OTX
Utility-Python Processor¶
- Description:
Demo how to run a Python script in host machine
- Integration:
Python
Utility-Update Ticket¶
- Description:
Demo how to update a ServiceNow ticket based on a received alert
- Integration:
ServiceNow
Utility-Wait For Actions¶
- Description: Demo how to use Delay node to implement a Wait Loop in workflow
Utility-Write To Google Sheet¶
- Description:
Demo how to write to Google Sheet
- Integration:
Google Docs