Hello there,

Please find below our monthly newsletter that focuses on integrations, upcoming events, and other relevant information.

In this third edition, we have three product updates and several integrations to share with you that are available in the latest release (m37). Remember this week is Black Hat USA 2019 in Las Vegas!

  • Product Updates:
    • Case Management and Integration
    • Remote Agent
    • Multi-Node Deletion
  • Integrations (4 new, 4 enhancements):
    • Amazon AWS - Dedicated S3 Integration (New)
    • Crowdstrike Falcon Host (New)
    • Crowdstrike Falcon Sandbox (New)
    • IMAP (Enhancement)
    • LogicHub File Tools (Enhancement)
    • ODBC Database (New)
      • MySQL Server
      • MySQL
      • Oracle
      • Postgres
    • Qualys (Enhancement)
    • ServiceNow (Enhancement)
  • This Week
    • Black Hat USA 2019

We hope you find this useful! Questions? Please reach out to us at: questions@logichub.com


Case Management

With the new case management functionality, you can create and update cases for incident management, initiate remediation tasks as well as collaborate between analysts. The LogicHub automation framework itself can create cases and tasks automatically for critical incidents. Please see below for the actions you can utilize.

New Actions:

  1. Create Case
  2. List All Cases
  3. Get Case Details
  4. Delete Case
  5. Append Comment
  6. Append Task
  7. Get Tasks
  8. Search for Cases
  9. Update Task

With the Case Management integration, you can automatically Create/Read/Update/Delete Cases and Case details, you can also do the same with Tasks as well. The Cases and Case details act as a log event for each and every action LogicHub automates on your behalf. Tasks provide a visual cue that a manual step needs to be carried out before the procedure is complete and can be assigned to other members within LogicHub. The details of these cases are extremely flexible and fully customizable, giving you the ability to create customized case templates containing all the details and information you desire.


Remote Agent

If the LogicHub machine is behind a firewall and cannot access an external resource, but another machine (Windows or Linux) on the same network can, you can leverage our Remote Agent feature. It allows you to install a remote agent on the other machine to pair the remote machine with the LogicHub host, enabling proxy-like functionality for LogicHub’s Integration Actions.


Multi-Node Deletion

If you need to remove one or more branches from a flow, you can leverage the new Multi-Node Deletion feature (by using CTRL+click for Windows, COMMAND+click for Macs, or dragging around the nodes) to delete more than one node at once.


New Actions:

  1. Download a file
  2. Upload a file
  3. List files

With the AWS S3 integration, flows can pull and push files to/from S3 buckets and list the contents of an S3 bucket. For example, if you have a daily Excel report being generated in LogicHub and you need to store and archive the report for future reference.

You can use the S3 integration to solve this problem by having every report e-mailed out and pushed to S3 for archiving.


New Actions:

  1. Analyze file and wait
  2. Analyze file
  3. Submit URL and wait
  4. Submit URL
  5. Get Report
  6. URL quick scan

If you think an endpoint could be compromised, you can verify your suspicions with a tool like Crowdstrike Falcon Host. Our integration has actions to query an asset, pull CrowdStrike Detections, query process information on an asset, and query IOC details. These actions give you all the tools you need to determine if an asset is compromised and needs to be quarantined for further investigation or remediation.


Enhanced Actions:

  1. Search Devices by filter
  2. Get IOC Details

Falcon Host Sandbox accepts Files, URLs, and file hashes as an input. It sandboxes and analyzes the artifact for malicious behavior. Based on the heuristic information gathered by Falcon, it returns a reputation score along with a threat level, so you can gauge if an artifact is malicious or not, as well as the severity of the malicious behavior.


Enhanced Actions:

  1. Read Email (with ‘Mark as Unread’ feature)

You can use our IMAP integration to connect to an email account and read an email folder, this action is the fundamental building block for a Phishing flow. When we read an email we’ll extract information like the sender, receiver, headers, attachments, URLs, sent time, received time, plaintext body, html body, and many more details which can be incorporated into Phishing Triage steps.


Enhanced Actions:

  1. Load CSV into json (with loading only specific columns feature)
  2. Load CSV into json (with custom header for CSV files with no header)

There are numerous ways to download files into LogicHub (download from Google Drive, Dropbox, S3, email attachments). If you want to work with a file, for example, generate a SHA-256 file hash for a file, or parse a CSV file as JSON, or parse an MSG/EML as an e-mail, you can use our File Tools integration.


New Actions:

  1. Query database

The Microsoft SQL Server integration enables flows to arbitrarily execute a SQL string on a MS SQL Database. You can construct the SQL string (SELECTs, INSERTs, DELETEs, etc.) with the data within your flows and pass that data to the integration and we’ll execute the string for you.


New Actions:

  1. Query database

If you have a MySQL database, you can leverage our Query Database action to execute an arbitrary query string to Query, Insert, or Delete data from your Databases. This enables use cases like dynamically managing whitelists/blacklists in MySQL, generating a LogicHub audit trail within MySQL, pushing and deleting data to/from MySQL, and many more.


New Actions:

  1. Query database

The Oracle integration enables you to connect to your Oracle Databases and interact with it as if you were in the command line within LogicHub. Within a Flow you can generate an arbitrary Query string to be executed on the Oracle Database server to Access, Modify, and Delete data. You’ll be able to use the information in your databases as a source of data enrichment (whitelist/blacklist) or as an event source (log data) to be analyzed within a flow. The data being generated by flows can be pushed to Databases to be stored and kept as a separate source of truth.


New Actions:

  1. Query database

You can execute Postgres commands as if you were in PostgreSQL on the command line, you can create a query like ‘SELECT * FROM $TABLE;’ within LogicHub and pass that to the Postgres integration to execute the string on your behalf. You can Insert, Access, Modify, and Delete data bidirectionally with LogicHub.


New Actions:

  1. Fetch Scan Result
  2. Fetch Report by Name
  3. Fetch System Vulnerabilities

Assets need to be scanned on a regular basis for vulnerabilities and patched to protect infrastructure from being compromised. The Qualys integration allows you to launch a scan against an asset and retrieve a report containing a breakdown of the scan results. You can couple the Qualys integration (generate a list of CVEs on your endpoints) with other integrations like BigFix (push and deploy patches) and CVE Search (identify version fixes for CVEs) to perform automated vulnerability patching.


New Actions:

  1. Update Ticket

The ServiceNow integration enables your flows to automatically create, read, update, delete, and query cases. This means you can create a case template in LogicHub to automatically populate a case. Before a new case is created, you can query ServiceNow to see if a similar case has already been created in the past, to avoid creating duplicate cases


Events

Black Hat USA 2019

Come visit our booth (#865) at Black Hat USA 2019 this Wednesday and Thursday August 7th and 8th at the Mandalay Bay Resort and Casino in Las Vegas, Nevada. We will have demos of the latest features (hint, hint: Case Management), use cases, and of course T-shirts!

We have more exciting features coming next month, so look out for the September edition of our Customer Newsletter which we will send out the first week of September.

Regards,

Hamish Talbot
Director Customer Success
LogicHub, Inc.

Questions? Please email us at: questions@logichub.com
Technical Support: support@logichub.com