Posted
From a Simple Notification Email to Threat-Bending Phishing Triage, This Is Your First Step
ThreatConnect 6.0 introduces a brand new feature: Workflow. This capability lets you combine manual and automated operations to define consistent and standardized processes for your security teams:
- Malware analysis
- Phishing triage
- Alert triage
- Intel requirement development
- Escalation procedures
- Breach SOP
- And much more!1
This article will walk you through building a simple Workflow Template to introduce some key concepts. If you’re familiar with programming, think of this like a “hello world” example. Once you have these basics down, you should be able to extend them to even the most complex security process.
If you have access to Workflow in ThreatConnect, feel free to follow along! This assumes you have basic knowledge of ThreatConnect and Playbooks.
1 Please forgive the cliche, but it’s true!
Workflow Overview
Workflow in ThreatConnect starts with the creation of a Workflow Template. These Templates represent the processes you want to define for your team. For example you might have one Template for Phishing Analysis, one for Alert Triage, and maybe several different ones for handling Breaches. By codifying these processes in a Template, you can reduce the risk of users missing critical steps or artifacts during an investigation.
In other words, processes and procedures you’ve kept in binders (i.e., runbooks), case management tools, ticket systems, and in your brains can now all be captured in ThreatConnect and tied back to threat intel. In fact, we’ve designed Workflow explicitly to reduce the time it takes to uncover relevant threat intel when working a case or investigation.
For this example, we’re going to create a basic escalation workflow that automatically sends out an email in response to some criteria. This example is likely far more basic than a real-world workflow, but if you’d like to see some examples of those, you can view some sample Workflow Templates through the ThreatConnect App Catalog by clicking on Workflow > Templates > TC Exchange Templates.
Terminology
Here are some terms to keep in mind when working with Workflow:
- Workflow Template – A codified process, typically created by an experienced team member or leader, that’s designed to walk a user through that process.
- Examples: Email Triage Template | Breach Escalation Template | File Hash Enrichment Process Template
- Case – A single instance of a case or investigation. Users can create Cases on the fly or create a Case from a Workflow Template (recommended).
- Examples: Case 12345 – Bank Password Reset Phishing Investigation | Case 11111 – Bank Password Reset Phishing Escalation to IR | Case 99999 – Enrichment of File Hash RFI
- Task – Cases are divided up into individual Tasks a user must perform. Tasks can be Manual (a human user must complete them) or Automated (a Playbook2 completes the task).
- Examples: Analyze Packet Capture Data I Review Malware Sandbox Results | Contact Business Stakeholders.
- Phase – A Phase is simply a logical grouping of Tasks.
- Examples: Phase 1 includes Tasks to gather email forensic data, Phase 2 includes analyzing that data, Phase 3 includes distributing a report on the analyzed data.
- Note – Users can take freeform notes as part of a Case or even notes that are related to a Task or Artifact.
- Examples: “There’s something wonky about this network traffic, I can feel it.” | “Alice, I’m not sure what to do here. Please help.” | “Sure thing, Bob. I added a new Task for you to complete that should help guide you along.”
- Artifacts – An Artifact is any piece of data not captured in a freeform Note as part of a Case. All Artifacts are saved to the Case.
- Examples: Email MSG File | Screenshot | PCAP | IP Addresses | File Hashes | Malicious File Attachment
2 In a future release, you’ll also be able to have Apps (ours and yours!) complete Tasks and even take direct action on Artifacts.
Defining the Process
Before we create a Workflow Template in ThreatConnect, we first need to define the actual process we want to codify. Think of it like planning your route before getting in the car. Our objective for this Template is to send an escalation email to dcole@threatconnect.com (that’s me!) with a subject line and email body containing some relevant information.
For our sample Workflow Template, we want to set up the following Phases, Tasks, and Artifacts:
- Phase 1
- Task 1 – Instruct the analyst to read this Blog!
- Task 2 – Enter the subject line and email body.
- Artifact – The subject line of the email.
- Artifact – The body of the email.
- Phase 2
- Task 3 – Automatically send an escalation email to dcole@threatconnect.com with the subject line and body specified in the prior task. Return the recipient of the email back to the Case and store it as an Artifact.3
- Phase 3
- Task 4 – Congratulate the analyst on a job well done.
3 Since we’re hardcoding the recipient as me, we don’t need to define it as a separate Artifact here.
Before diving in to any kind of software-based process definition, it’s helpful to sketch out the objectives and general flow on paper. It’s like pseudocode and makes the creation of the actual Template much easier.
Now that we’ve defined the process, let’s turn it into a Workflow Template.
Translating the Process to Workflow
Our Workflow Template will consist of three manual Tasks and one automated Task that’s handled behind the scenes by a Workflow Playbook.
Setting up a Workflow Playbook
Let’s start by creating the Playbook that will actually send the email4. The basic flow of the Playbook is:
- Grab the Email Subject and Email Body from the Case.
- Pass the subject and body to the Send Email app.
- Manually enter the email recipient (me!) in the Send Email app.
- Send the email.
- Report the recipient back to the Case.
Select Playbooks from ThreatConnect’s main navigation menu, then click New > Create Playbook. Give your Playbook a name and an optional description5. Be sure to select Workflow as the Playbook type; this will make the Playbook available to the Workflow Template we’ll create.
4 If you’d like to download the Playbook instead of creating it yourself, you can get it from our GitHub repo here: https://github.com/ThreatConnect-Inc/threatconnect-playbooks/tree/master/playbooks/TCPB-WF-Escalation%20Email
5 I’m using “Escalation Email” and “Sends an email to a specified account with some case details,” respectively.
Workflow Triggers
Every Workflow Playbook starts with a special Workflow Trigger, which defines the inputs and outputs of the Playbook. Double click the Trigger and configure the Inputs as shown below, then save the Trigger.
Configure the Send Email App
Click the Apps button, then click the Send Email app to add it to the Playbook. Connect the App to the Trigger.
Double-click the Send Email App you added, and configure it.
Now we want to capture the Recipient from the Send Email app and add it to the Trigger so that it can be returned to the Case and saved as an Artifact. Re-open the Trigger and configure the Output variable to match it.
For the final step, set the Playbook to Active. You’re all done! The Playbook is now ready for use in any Workflow Template.6
6 I’m using “Hello World Example” and “This is a sample Workflow Template that will send a simple escalation email and introduces users to the basics of Workflow,” respectively.
Setting Up a Workflow Template
Now that your Playbook is ready to go, it’s time to build it into a Workflow Template. This Template can then be reused by others to guide them through Cases.
Select Workflow > Templates from ThreatConnect’s main navigation menu, then click the + button and New Template. Give your Template a name and an optional description.
Creating Your First Task
Click in the Tasks pane to add your first Task, or click the + button in the upper right. Part of the value of Workflow is for more experienced users to impart knowledge to less experienced users, so don’t be shy about providing detailed instructions. Our first Task will just be to read this blog! Configure the Task.
Creating a Task with Artifacts
You can think of each Task almost like a miniature form builder that lets you prompt users for information that will be stored as Artifacts in a case. In our second Task, which we’ll include as part of Phase 1, we want to prompt the user to provide a subject line and email body. Go ahead and add it now.
Artifacts are added by clicking the + button on the Edit Task pane. Go ahead and add Artifacts for both subject and body, and make sure they’re set as Required, because our Playbook can’t run without them!
Configuring an Automated Task
Automated Tasks let users automate tasks that might otherwise represent minutes or hours of tedious work for a user investigating a Case. Just like with the prior two Tasks, click the + button or click directly into the Phase 2 pane. This time, click the Automated Task toggle; you’ll be prompted to select a Playbook to use in the Task, so select the Escalation Email Playbook we created.
Click the INPUTS link at the bottom right. The left side of this area shows the Variables from the Workflow Playbook we created (specifically, the ones we defined in the Trigger), while the right side shows the Artifacts from the “Gather the subject line and email body” Task, as well as any globally-defined variables.7 Drag the Artifacts from the right to the appropriate Variables on the left.
7 These global variables are useful for defining things like credentials or commonly used data points.
Proceed to the Outputs section of the Task pane. Here, we want to tell the Workflow to save the email recipient (that’s me!) as an Artifact on the case. This is just for fun, but you can imagine using this same feature to save the output of a malware scan, enrichment results, victim data, whatever you need.
The Completed Template
If you’d like to add a closing Task, go right ahead – you should know what to do by now!
Let’s look back at our original pseudoworkflow:
- Phase 1
- Task 1 – Instruct the analyst to read this Blog!
- Task 2 – Enter the subject line and email body.
- Artifact – The subject line of the email.
- Artifact – The body of the email.
- Phase 2
- Task 3 – Automatically send an escalation email to dcole@threatconnect.com with the subject line and body specified in the prior task. Return the recipient of the email back to the Case and store it as an Artifact.
- Phase 3
- Task 4 – Congratulate the analyst on a job well done.
Now it’s time to actually put the Workflow Template to work by putting on our analyst hats and creating a Case!
Starting a New Case
We need to escalate! Luckily, we went to the trouble of codifying our escalation process in a Workflow Template! In a real-world scenario, many Cases would likely be automatically created and assigned, but for this example, let’s create one manually by selecting Workflow > Cases from the main navigation menu, or if you’re still on your Template, just click the Cases tab in the upper left.
Click the + button and the New Case pane will open up. Give your Case a name, assign it to yourself (if you want), and be sure to use our new Workflow Template!
On the right hand side are a variety of tools available to the Analyst—Related Cases, Artifacts, Notes, and the Timeline—but we’ll focus on the Tasks on the left. You can think of the left-hand side as a checklist or form of actions that need to be taken, and the right side as a record of the results of those actions.
Completing the Case
There’s not much instruction that’s required here! Everything you should need to know to complete the Case should be contained in the Workflow Template we built:
- Check off that you read this blog!
- Enter a snappy subject line and email body.
- Kick off the Playbook!
- Pat yourself on the back.
Congratulations! You can start as many cases as you want!
Putting It All Together
If you start playing around with a completed Case, and maybe start adding the recipient email as an Indicator, you may start to notice some things. Cases that share similar Artifacts can become automatically related. Artifacts that have related threat intel will automatically populate with analytics and the ability to load additional context, including globally crowdsourced context from our Collective Analytics Layer (CAL).
Certain Artifacts can be added directly to ThreatConnect as Indicators so you can leverage them as threat intel in future investigations, which helps you maximize the amount of threat intelligence squeezed from day-to-day operations.
Workflow in ThreatConnect is full of useful nuggets like these, and now that you’ve become familiar with the basics, you can take advantage of them. Here are some examples of questions to ask for next steps:
- What processes do you have that could be turned into Workflow Templates?
- What tasks are you performing today that could be automated?
- What do your senior folks know that could be memorialized for junior folks to reduce the amount of “arcane knowledge” in your organization?
As for ThreatConnect, we’re thrilled to introduce this first iteration of Workflow, and we look forward to our users’ feedback and forthcoming updates!