close
Gartner Report:
Innovation Insight for
Security Orchestration,
Automation and Response DOWNLOAD NOW

Playbook Fridays: How to Build a Playbook in ThreatConnect

This week: Palo Alto Wildfire Malware Triage Playbook

ThreatConnect is beginning a NEW blog post series. We will continually publish posts featuring Playbooks that can be built in TC Manage™ or TC Complete™.

ThreatConnect developed the Playbooks capability to help analysts automate time consuming and repetitive tasks so they can focus on what is most important. And in many cases, to ensure the analysis process can occur consistently and in real time, without human intervention.

 

Why was the Playbook created?

The Palo Alto Wildfire (a cloud-based service that provides malware sandboxing) Malware Triage Playbook was created to make the malware analysis process more effective by speeding up reaction time, eliminating time consuming repetitive tasks, and deliver the results to the analyst in a way they can quickly make decisions and take action.

Though this Playbook can be triggered in a variety of ways, most commonly it would use an email, HTTP, or user action trigger and solves the following:

  • The submission of suspicious binary files to Palo Alto Wildfire for analysis.
  • The retrieval and parsing of report results.
  • The creation of report results, including behavior details and associated indicators in ThreatConnect for easy correlation across other malware reports and intelligence sources.
  • The assignment of a task for an analyst to review the results and take action.

 

How it works:

  1. When the playbook is triggered, the binary is first detonated with Wildfire.  
  2. Next, the Wildfire Verdict is retrieved and used to determine the path the Playbook takes.
  3. The binary in ThreatConnect is tagged with the Wildfire verdict and a response is sent back to the user letting them know the outcome.
  4. If the Verdict was malicious, the Playbook will get and parse the Wildfire report results.
  5. An incident is created in ThreatConnect to store the report details.
  6. The Wildfire behavior details are saved as an attribute on the incident.
  7. File, Registry Key, Address, Host, URL and User Agent indicators that were parsed from the report  are created in ThreatConnect and associate with the Incident.
  8. The HTML version of the Wildfire report is downloaded and saved as a ThreatConnect document and associated with the Incident.
  9. Finally, we want to be sure that the incident is reviewed so a Task is created in ThreatConnect and assigned to an analyst for review.  

 

How to Build It:

  1. Templates are found in the Templates section of the Playbooks dashboard. Import the Palo Alto Wildfire Malware Triage template to get started..  
  2. Enter the requested variable information during the import step to speed up configuration.
  3. Review the configuration of the trigger and apps to ensure they are accurate for your organization.
  4. Activate the Playbook.
  5. If using the default User Action trigger you can trigger the Playbook by pressing the "Detonate with Wildfire" user action on a ThreatConnect document containing a suspicious binary.  

Palo-Alto-Wildfire-Malware-Triage

Read the rest of the Playbooks blog series:
Playbook Fridays: Enriching Indicators with Shodan


Learn more about Playbooks here. Questions about this Playbook or have a Playbook you'd like to contribute? Please contact: support@threatconnect.com.

Interested in Playbooks? Sign Up For A Free Account to Get Started


ABOUT THE AUTHOR

With ThreatConnect, security analysts can simultaneously coordinate with incident response, security operations and risk management teams while aggregating data from trusted communities. Your team will be better equipped to protect the organization from modern cyber threats, mitigate risk and address strategic business needs all thorough a single, robust platform.