Please find below our monthly newsletter that focuses on integrations, upcoming events, and other relevant information.
In this edition, we have several new integrations to share with you that are available in the latest software release (m35). As a bonus in this newsletter, you’ll find information pertaining to the use case for Phishing Triage Automation. We also have more information on the upcoming Black Hat USA 2019 show in Las Vegas.
- Webroot BrightCloud
- Cisco StealthWatch & Talos Intelligence
Use Case Releases:
- Phishing Triage Automation
- Black Hat USA 2019
We hope you find this useful! Questions? Please reach out to us at: firstname.lastname@example.org
Once you’ve identified something that is potentially a suspicious URL, File, or Domain in your data, you’ll be able to submit those suspicious artifacts to Webroot BrightCloud for URL and File analysis. This returns a reputation score which is generated by Webroot’s unique set of heuristics. Domains can also be submitted to retrieve WHOIS information, returning the dates the domain was registered, expiration dates, as well as who registered the domain and the e-mails used to register the domain.
To aid in determining if an IP Address or URL is suspicious, you can submit them to ZScaler for categorization. After an IP or URL is determined to be malicious, we can add it to a blacklist. If required, the IP or URL can be removed from the blacklist. If a file is suspected to be malicious, you can generate the MD5 file hash for a file within a Flow and query Zscaler for the hash to check if a sandbox report already exists for that hash and pull the report details.
This initial BigFix integration will enable a Flow to query BigFix for specific asset details and remotely push a patch and update those specific assets.
These actions will enable use cases where you will be able to automatically execute vulnerability management scans (e.g. Qualys, Nessus, Nexpose) against assets and retrieve the scan reports indicating which assets are vulnerable to which CVEs. We can then perform a search on those CVEs to determine which version of the software is needed in order to mitigate the vulnerability. Once the correct version is identified, we can then leverage BigFix to perform targeted remediation by pushing the appropriate updates and patches to the known vulnerable assets.
Cisco StealthWatch & Talos Intelligence
Our integrations with Cisco will enable users to build Flows and Streams to automatically Query StealthWatch for alerts and observations as well as update those alerts with the analysis results generated by Logichub. The new actions will also enhance Flows to perform dynamic whitelist and blacklist management, by automatically adding or removing IPs and domains from whitelists and blacklists. If an analyst suspects suspicious activity on an asset, they will be able to query for network sessions initiated and received by that specific asset. Should an analyst suspect that an IP address has the potential to be malicious, the IP can be submitted to Cisco Talos for an IP Reputation lookup which returns a reputation score.
Logichub Querying Language (LQL) will let you dynamically generate strings which are SSH commands, then you can pass those SSH commands to the integration and it will execute those strings as SSH commands on your behalf. This means you could use the integration to SSH (from Logichub) to another machine and execute a script on the remote machine or embed a script within your SSH string. This way you can execute a script without needing to drop a file on a machine.
With our Perforce integration, you’ll be able to sync with your remote depot to locally pull the latest version of a file or code, read and edit the files (locally without affecting the depot), and push files to a remote depot. These new actions will enable use cases to perform management of whitelists and blacklists as well as provide an external audit log of the additions and removals of entries via the Perforce change logs. The use cases will differ greatly depending on the types of files within the depots.
Phishing Triage Automation Use Case
The triage of reported phishing emails is time-consuming work for Security Operations Center (SOC) and Incident Response (IR) teams. It is critical that security teams find a way to accelerate phishing triage, so they can spend less time investigating false positive phishing alerts and more time on valuable and strategic projects.
Have a look at this latest Use Case paper for more information.
Black Hat USA 2019
Come visit our booth (#865) at Black Hat USA 2019 on August 7th and 8th at the Mandalay Bay Resort and Casino in Las Vegas, Nevada. We will have demos of the latest features (hint, hint: Case Management), use cases, and of course T-shirts!
We have more exciting features coming next month so look out for the August edition of our Customer Newsletter which we will send out the first week of August..
Director Customer Success