Int. League Of XSOARdinary Gentlemen: Threat Response

Use case demonstrating the natural extension of TIM: TIM + AR(Automatic response). SOC manager can take back control to block or unblock malicious indicators with the touch of a button in XSOAR

Comment

automated email confirming block
top level playbook
URL EDL
block file playbook

Inspiration

Working with multiple enterprises there is a real lack of control in the SOC for many. We wanted to design something that empowers and gives the SOC instant access to block malicious IOCs and also curate their own IOCs to be blocked with a an automated job. TIM is an extension of SOAR but also, Automatic Response (AR) is a natural extension of TIM.

What it does

Vendor and product agnostic, this content pack blocks IOCs with ease. Within the Threat Response layout for each IOC (file, IP, URL, account, domain) can also be unblocked: for when an investigation is ongoing, the SOC can tidy up their work by unblocking the IOC.

How we built it

With a lot of help from Bar in Engineering and Drew, our beloved SA.

Challenges we ran into

Normal paid work gets in the way a bit :) We would have liked to test on more products but we could only get our hands on XDR, NGFW and Checkpoint FW

Accomplishments that we're proud of

Working the last few weekends and as an international team!

What we learned

Working across different departments with different skill sets can enable innovation.

What's next for Int. League Of XSOARdinary Gentlemen

We really want to test out the Search and Destroy API in XDR when it comes out!

Built With

checkpoint
panw
python
xdr

Updates

Patrick Bayle started this project — Sep 28, 2020 04:26 PM EDT

Leave feedback in the comments!

Log in or sign up for Devpost to join the conversation.