Hi,

I would like to write a playbook (the new kind) which would iterate through the artifacts associated with an incident and inspect the number of hits for each artifact.
I know there is a field called "hits" for the artifact object but I can't figure out how to look at each artifact once the playbook is started.

If the number of hits is equal to zero, the incident would then be resolved as "Not an issue", otherwise a task would be created and assigned to an analyst.

Is this feasable with the new "Playbooks"  functionnality?

Thanks for any help or suggestions.

------------------------------
Pierre Dufresne
------------------------------

Let me share a previous discussion around this area for your reference. 
https://community.ibm.com/community/user/security/communities/community-home/digestviewer/viewthread?GroupId=2845&MessageKey=442fede2-799a-4020-b82a-bb4cdd8e438e&CommunityKey=d2f71e8c-108e-4652-b59c-29d61af7163e&tab=digestviewer

------------------------------
Leo Kuo
------------------------------

Original Message:
Sent: Thu October 28, 2021 05:08 PM
From: Pierre Dufresne
Subject: Iterating through an incident artifacts in a playbook

Hi,

I would like to write a playbook (the new kind) which would iterate through the artifacts associated with an incident and inspect the number of hits for each artifact.
I know there is a field called "hits" for the artifact object but I can't figure out how to look at each artifact once the playbook is started.

If the number of hits is equal to zero, the incident would then be resolved as "Not an issue", otherwise a task would be created and assigned to an analyst.

Is this feasable with the new "Playbooks"  functionnality?

Thanks for any help or suggestions.

------------------------------
Pierre Dufresne
------------------------------

You may also consider creating a playbook with Artifact as object type and with a condition that threat source hit is added, then follow with the required step to add a task or run a script.

------------------------------
Leo Kuo
------------------------------

Original Message:
Sent: Thu October 28, 2021 05:08 PM
From: Pierre Dufresne
Subject: Iterating through an incident artifacts in a playbook

Hi,

I would like to write a playbook (the new kind) which would iterate through the artifacts associated with an incident and inspect the number of hits for each artifact.
I know there is a field called "hits" for the artifact object but I can't figure out how to look at each artifact once the playbook is started.

If the number of hits is equal to zero, the incident would then be resolved as "Not an issue", otherwise a task would be created and assigned to an analyst.

Is this feasable with the new "Playbooks"  functionnality?

Thanks for any help or suggestions.

------------------------------
Pierre Dufresne
------------------------------

Let me rephrase your problem (and tell me if I am wrong):

You want to verify that all Artifact does not match any Threat Source, and close the Incident after all Threat Source has been checked, if none of them match.

To achieve this, I will:

• Create a Artifact Hit field, either boolean or integer, if I wish to count the number of hits and not just get the information a Hit exist.
• A rule on artifact check if a Threat Source Hits is added, and the Artifact Hit is not alreay YES (or > 0)
  and will set Artifact Hit to YES (or add +1 with a script)
  With this, you will know that you have a Hit
  Example below that add a colored tag on screen using an enrich field modified by a script
  

Now, the problem is to decide WHEN to close the incident or validate that you had enough time to verify all Threat enrichment
for this I will use the scheduler App

• Create a rule that is running a workflow that call the scheduler App
• Select in the app the timer you want, 600s for example to get normally all Threat and Threat Enrichment done
• after that, check the value of Artifact Hit if YES or > 0, assign the incident from "Automation" to "L1 Group", or close the task
• At this time you may loop back to allow more wait time... 2 days before closing by automation, but not assigning the incident to users.

Something like this workflow design:

Attached is an example of Threat Intelligence Playbook manipulation. Please do not use it "as is" on production, but study it in dev/test environment

• File Name : config_ThreatIntelligence.res-export-20210706155117.res

• Automate the analysis of the result of IBM X-Force, Cisco Threat Grid & Virus Total Threat Intelligence 
• IBM X-Force will provide most recent date an artifact has been seen, with the count, and the first Threat Family 
• Cisco Threat Grid will provide the Risk percentage and the count it has been seen 
• Virus Total will provide the most recent date an artifact has been seen, with the percentage of detection among the antivirus list
• The element is colored with Red, High Risk, Orange Medium Risk, Green Low Risk and milestones are added on first Threat Intelligence hit
• This Playbook is [SIM] if no integration

• Activate Threat Feed IBM X-Force, Cisco Threat Grid & Virus Total
• Every time an Artifact get a Threat Hit on Threat Intelligence, the automation analysis is updated 

• None 

• Add a conditional Tab (artifact hit = True) to present the abstract of all threat Intelligence:
• IBM X-Force with Last Seen, Count & Threat Family
• Cisco Threat Grid with Threat Score & Samples
• Virus Total with Rating and Scan reliability
• add conditional sections  (value exist) on the summary to present the analysis fields abstract Virus Total, Cisco and X-Force, when populated

• Enable Python version  P2 or P3 rules depending on your Python options on SOAR. Default is Python version 2

------------------------------
BENOIT ROSTAGNI
------------------------------

Original Message:
Sent: Thu October 28, 2021 05:08 PM
From: Pierre Dufresne
Subject: Iterating through an incident artifacts in a playbook

Hi,

I would like to write a playbook (the new kind) which would iterate through the artifacts associated with an incident and inspect the number of hits for each artifact.
I know there is a field called "hits" for the artifact object but I can't figure out how to look at each artifact once the playbook is started.

If the number of hits is equal to zero, the incident would then be resolved as "Not an issue", otherwise a task would be created and assigned to an analyst.

Is this feasable with the new "Playbooks"  functionnality?

Thanks for any help or suggestions.

------------------------------
Pierre Dufresne
------------------------------

Hi Benoit,
Thank you so much for your answer. I learned a lot from it.

Unfortunately, our SOAR installation is in the cloud so I cannot run the resilient-sdk extract command.

The example you sent me is built around scripts, rules and workflows.  Will it be possible to make it work from a playbook, ie the playbook designer available since version 41?

As for the VirusTotal threat source, we did not activate it because the cost of the license seemed a bit to expensive.


------------------------------
Pierre Dufresne
------------------------------

Original Message:
Sent: Thu November 04, 2021 04:59 AM
From: BENOIT ROSTAGNI
Subject: Iterating through an incident artifacts in a playbook

Let me rephrase your problem (and tell me if I am wrong):

You want to verify that all Artifact does not match any Threat Source, and close the Incident after all Threat Source has been checked, if none of them match.

To achieve this, I will:

• Create a Artifact Hit field, either boolean or integer, if I wish to count the number of hits and not just get the information a Hit exist.
• A rule on artifact check if a Threat Source Hits is added, and the Artifact Hit is not alreay YES (or > 0)
  and will set Artifact Hit to YES (or add +1 with a script)
  With this, you will know that you have a Hit
  Example below that add a colored tag on screen using an enrich field modified by a script
  

Now, the problem is to decide WHEN to close the incident or validate that you had enough time to verify all Threat enrichment
for this I will use the scheduler App

• Create a rule that is running a workflow that call the scheduler App
• Select in the app the timer you want, 600s for example to get normally all Threat and Threat Enrichment done
• after that, check the value of Artifact Hit if YES or > 0, assign the incident from "Automation" to "L1 Group", or close the task
• At this time you may loop back to allow more wait time... 2 days before closing by automation, but not assigning the incident to users.

Something like this workflow design:

Attached is an example of Threat Intelligence Playbook manipulation. Please do not use it "as is" on production, but study it in dev/test environment

8) Analyze Automation for Threat Intel

• File Name : config_ThreatIntelligence.res-export-20210706155117.res

Purpose of this Playbook:

• Automate the analysis of the result of IBM X-Force, Cisco Threat Grid & Virus Total Threat Intelligence 
• IBM X-Force will provide most recent date an artifact has been seen, with the count, and the first Threat Family 
• Cisco Threat Grid will provide the Risk percentage and the count it has been seen 
• Virus Total will provide the most recent date an artifact has been seen, with the percentage of detection among the antivirus list
• The element is colored with Red, High Risk, Orange Medium Risk, Green Low Risk and milestones are added on first Threat Intelligence hit
• This Playbook is [SIM] if no integration

Note : Threat Intelligence must be activated 

Automatic Activation:  

• Activate Threat Feed IBM X-Force, Cisco Threat Grid & Virus Total
• Every time an Artifact get a Threat Hit on Threat Intelligence, the automation analysis is updated 

Manual Activation: 

• None 

Layout Change:

• Add a conditional Tab (artifact hit = True) to present the abstract of all threat Intelligence:
• IBM X-Force with Last Seen, Count & Threat Family
• Cisco Threat Grid with Threat Score & Samples
• Virus Total with Rating and Scan reliability
• add conditional sections  (value exist) on the summary to present the analysis fields abstract Virus Total, Cisco and X-Force, when populated

Options:

• Enable Python version  P2 or P3 rules depending on your Python options on SOAR. Default is Python version 2

Extract res file command:  

resilient-sdk extract --script "Threat Artifact P2 [Sim]" "Threat Artifact Hit Colored" "Threat Artifact P2" "Threat Artifact P3" --rule "Threat Artifact P2 [SIM]" "Threat Artifact Hit" "Threat Artifact P2" "Threat Artifact P3" --field "threat" "artifact_hit" "virus_total" "cisco" "xforce" "rating" "scan_reliability" "threat_score" "samples" "last_seen" "count" "threat_family" -n config_ThreatIntelligence.res --zip

------------------------------
BENOIT ROSTAGNI

Original Message:
Sent: Thu October 28, 2021 05:08 PM
From: Pierre Dufresne
Subject: Iterating through an incident artifacts in a playbook

Hi,

I would like to write a playbook (the new kind) which would iterate through the artifacts associated with an incident and inspect the number of hits for each artifact.
I know there is a field called "hits" for the artifact object but I can't figure out how to look at each artifact once the playbook is started.

If the number of hits is equal to zero, the incident would then be resolved as "Not an issue", otherwise a task would be created and assigned to an analyst.

Is this feasable with the new "Playbooks"  functionnality?

Thanks for any help or suggestions.

------------------------------
Pierre Dufresne
------------------------------

Hi Pierre,

1) You can install a Resilient circuit on a local linux (centos/redhat) and do all the extract command from there to your cloud base solution.

2) It could be possible to use the new playbook design and run this playbook by automation on artifact, yes. I did not build it there, waiting for the export feature by playbook available.

it is an example on how to do it, using VT, XF & Cisco, but of course, the analysis script can be adjusted to any json hit result from any threat source !

------------------------------
BENOIT ROSTAGNI
------------------------------

Original Message:
Sent: Thu November 04, 2021 10:24 AM
From: Pierre Dufresne
Subject: Iterating through an incident artifacts in a playbook

Hi Benoit,
Thank you so much for your answer. I learned a lot from it.

Unfortunately, our SOAR installation is in the cloud so I cannot run the resilient-sdk extract command.

The example you sent me is built around scripts, rules and workflows.  Will it be possible to make it work from a playbook, ie the playbook designer available since version 41?

As for the VirusTotal threat source, we did not activate it because the cost of the license seemed a bit to expensive.


------------------------------
Pierre Dufresne

Original Message:
Sent: Thu November 04, 2021 04:59 AM
From: BENOIT ROSTAGNI
Subject: Iterating through an incident artifacts in a playbook

Let me rephrase your problem (and tell me if I am wrong):

You want to verify that all Artifact does not match any Threat Source, and close the Incident after all Threat Source has been checked, if none of them match.

To achieve this, I will:

• Create a Artifact Hit field, either boolean or integer, if I wish to count the number of hits and not just get the information a Hit exist.
• A rule on artifact check if a Threat Source Hits is added, and the Artifact Hit is not alreay YES (or > 0)
  and will set Artifact Hit to YES (or add +1 with a script)
  With this, you will know that you have a Hit
  Example below that add a colored tag on screen using an enrich field modified by a script
  

Now, the problem is to decide WHEN to close the incident or validate that you had enough time to verify all Threat enrichment
for this I will use the scheduler App

• Create a rule that is running a workflow that call the scheduler App
• Select in the app the timer you want, 600s for example to get normally all Threat and Threat Enrichment done
• after that, check the value of Artifact Hit if YES or > 0, assign the incident from "Automation" to "L1 Group", or close the task
• At this time you may loop back to allow more wait time... 2 days before closing by automation, but not assigning the incident to users.

Something like this workflow design:

Attached is an example of Threat Intelligence Playbook manipulation. Please do not use it "as is" on production, but study it in dev/test environment

8) Analyze Automation for Threat Intel

• File Name : config_ThreatIntelligence.res-export-20210706155117.res

Purpose of this Playbook:

• Automate the analysis of the result of IBM X-Force, Cisco Threat Grid & Virus Total Threat Intelligence 
• IBM X-Force will provide most recent date an artifact has been seen, with the count, and the first Threat Family 
• Cisco Threat Grid will provide the Risk percentage and the count it has been seen 
• Virus Total will provide the most recent date an artifact has been seen, with the percentage of detection among the antivirus list
• The element is colored with Red, High Risk, Orange Medium Risk, Green Low Risk and milestones are added on first Threat Intelligence hit
• This Playbook is [SIM] if no integration

Note : Threat Intelligence must be activated 

Automatic Activation:  

• Activate Threat Feed IBM X-Force, Cisco Threat Grid & Virus Total
• Every time an Artifact get a Threat Hit on Threat Intelligence, the automation analysis is updated 

Manual Activation: 

• None 

Layout Change:

• Add a conditional Tab (artifact hit = True) to present the abstract of all threat Intelligence:
• IBM X-Force with Last Seen, Count & Threat Family
• Cisco Threat Grid with Threat Score & Samples
• Virus Total with Rating and Scan reliability
• add conditional sections  (value exist) on the summary to present the analysis fields abstract Virus Total, Cisco and X-Force, when populated

Options:

• Enable Python version  P2 or P3 rules depending on your Python options on SOAR. Default is Python version 2

Extract res file command:  

resilient-sdk extract --script "Threat Artifact P2 [Sim]" "Threat Artifact Hit Colored" "Threat Artifact P2" "Threat Artifact P3" --rule "Threat Artifact P2 [SIM]" "Threat Artifact Hit" "Threat Artifact P2" "Threat Artifact P3" --field "threat" "artifact_hit" "virus_total" "cisco" "xforce" "rating" "scan_reliability" "threat_score" "samples" "last_seen" "count" "threat_family" -n config_ThreatIntelligence.res --zip

------------------------------
BENOIT ROSTAGNI

Original Message:
Sent: Thu October 28, 2021 05:08 PM
From: Pierre Dufresne
Subject: Iterating through an incident artifacts in a playbook

Hi,

I would like to write a playbook (the new kind) which would iterate through the artifacts associated with an incident and inspect the number of hits for each artifact.
I know there is a field called "hits" for the artifact object but I can't figure out how to look at each artifact once the playbook is started.

If the number of hits is equal to zero, the incident would then be resolved as "Not an issue", otherwise a task would be created and assigned to an analyst.

Is this feasable with the new "Playbooks"  functionnality?

Thanks for any help or suggestions.

------------------------------
Pierre Dufresne
------------------------------