Playbook Fridays: Task Management
Simulate a task in ThreatConnect which can be modified to recur daily, weekly, or monthly
ThreatConnect developed the Playbooks capability to help analysts automate time consuming and repetitive tasks so they can focus on what is most important. And in many cases, to ensure the analysis process can occur consistently and in real time, without human intervention.
As an analyst, you may have many recurring tasks that need to be finished on a weekly or monthly basis and want to have all of your research and analysis tasks in one place (ThreatConnect). With this Playbook, you can simulate a recurring task in ThreatConnect, using a timer trigger which can be modified to create a task daily, weekly, or monthly.
The Playbook creates a task with the given name and a due date two days from the date on which the task is created.
After installing the playbook, change the "Run Weekly" app to run on the desired interval and at the desired time. Next, edit the "Set Variables" app. The "taskName" variable is used to set the name of the task as it will appear in ThreatConnect. The "dueDateOffset" variable is used to specify the amount of time between the date a new task is created and when it is due. Lastly, edit the "Create ThreatConnect Task" app and set the assignees, escalatees, and any other details about the recurring task which will be created.
Website Content Playbook
We've designed another Playbook to run weekly that requests website content, finds the hash of the website's content, retrieves the previous hash of the content from the playbook's datastore, and compares the hash of the current content with the hash of the previous content. If the hash of the current content is different from the hash of the previous content, an alert is sent.
Warning: Do not use this playbook to request the content of a malicious website. It should only be used to monitor the content of infrastructure which belongs to you.
After installing the playbook:
- Edit the "Run Playbook Weekly" app to specify how often and when you would like the app to run.
- Edit the "Set Variables" app and set the website you would like to monitor and the slack channel to which you would like to send notifications (and feel free to change the user agent too).
- Find all of the apps which have errors and fill in the missing fields (which include parameters like the ThreatConnect owner and slack API token).
- Turn it on and run the playbook!
Periodically capture the content of a website and send an alert if the content changes.