Available Sponsor Integrations
AWS Security Hub gives you a comprehensive view of your high-priority security alerts and security posture across your AWS accounts. With Security Hub, you now have a single place that aggregates, organizes, and prioritizes your security alerts, or findings, from multiple AWS services, such as Amazon GuardDuty, Amazon Inspector, Amazon Macie, AWS Identity and Access Management (IAM) Access Analyzer, and AWS Firewall Manager, as well as from AWS Partner solutions. You can also take action on these security findings by investigating them in Amazon Detective or by using Amazon CloudWatch Event rules to send the findings to ticketing, chat, Security Information and Event Management (SIEM), Security Orchestration Automation and Response (SOAR), and incident management tools or to custom remediation playbooks.
Build a fully integrated response playbook for Cortex XSOAR using AWS Security services. Your minimum criteria are to use built-in AWS Security Hub and Amazon GuardDuty integrations. However, the winning benchmark will extend into other AWS services to build dynamic automated response triggers and processes. Think of services such as CloudTrail events and AWS Lambda that could supplement your playbook automated triggers. Your goal is to create a standard playbook that is closely aligned with the AWS Security Best Practices and incident response, as documented here.
Here are some basic everyday use case examples:
- Infrastructure Incidents where a production EC2 instance has been compromised. Create a response process that would not affect production availability but still isolate the relevant EC2 instance. Remember, the CISO of ACME also wants these events reported on.
- Data breach Incidents where PII (Personally Identifiable Information) of customers has been accessed because of a S3 bucket dump onto an unsecure bucket and potentially accessed by external parties. These are critical metrics to track for the CISO of ACME.
- Data Protection Incidents where you have been tasked by ACME’s CISO to monitor all newly created S3 buckets for policies that allow public read/write access and automatically remediate these events.
- Infrastructure Availability Stability incident response. Using AWS native tools (Not requiring Shield Advance) detect, respond and mitigate an Application Layer DDoS attack without impact to availability of your production website. As you are part of the industry information security community you have need to report on the source addresses and also give a detailed report on each attachment to the CISO of ACME.
- Potential DataBase compromise Incident due to administrative access being opened up to the public internet. Create automated detection and response to remediate these events. Also, ACME’s CISO wants these events included in monthly reports.
- Privilege escalation incident. Monitor and automatically respond against privilege escalation events such as Instance Based IAM roles being increased beyond the least privilege access it requires for its.
- Insider Threat Incident. An employee has been on administrative leave pending an investigation. You need to have an automated response to isolate any of their activity and generate a historical report about their activity to check for any potential unauthorized backdoor accounts that they could have created and automatically isolate them.
These are some basic examples that almost every AWS and Cortex XSOAR customer needs to address. Use your creativity and expertise to build out a set of response playbooks that would address these customer issues at scale.
- Consult your Cortex XSOAR Reference index to use some example playbooks and build your integrations.
- Cortex XSOAR AWS Marketplace listing
- Cortex XSOAR integration documentation for Amazon GuardDuty
- Cortex XSOAR integration documentation for AWS Security Hub
Google Chronicle is a petabyte scale security analytics platform for investigation and detection of modern threats. The Chronicle security analytics platform enables organizations to ingest all their security telemetry at a fixed, predictable cost into a private cloud container and retain it for a full year. Chronicle automatically and continuously enriches raw events with correlated information on users, assets and threats indicators. A web interface specifically designed for SOC analysts enables investigation and detection of threats with sub-second latency across all their security telemetry.
Challenge: Lightspeed Investigation and Remediation of APT Threats
A threat researcher at a major enterprise just read about an APT that has been targeting her vertical for the last year. Some of the IoCs and ATT&CK techniques used by the threat actor are now described in the research report. Normally, uncovering the assets that have even reached out to the IoCs months ago would be impossible, but fortunately the customer has Chronicle which gives them UI and API based instant access to a full year of all their security telemetry. They also have Cortex XSOAR to automate triage of incidents and its extensive 3rd party integration library to automate remediation. A purpose-built integration between Google Chronicle and Cortex XSOAR IR teams to combine the real-time threat detection and investigation capabilities of Google Chronicle with the SOAR features of Cortex. Specifically, Chronicle instances, APIs and search parameters are all accessible directly within Cortex XSOAR for full automation of playbooks.
The SOC team would like to build a playbook that quickly automates the hunt, investigation and remediation of assets compromised by this threat. Your job is to help build a playbook that does exactly that. Some things to think about accomplishing by leveraging Chronicle APIs in a Cortex playbook include:
- Hunt for any and all assets that have ever reached out to the known IoC (manygoodnews.com)
- Collect and attach evidence of related telemetry [10 mins of all network and endpoint data] around the time of first access by the first asset in the environment that ever reached out to the IoC in question
- Uncover any other alerts that occurred on the same asset in the preceding and following 30 mins after the initial outreach to the malicious domain
- Implement a firewall, endpoint or remediation strategy to restrict future access to that domain
To get started, please walk through our demo introduction here. At the end of the walkthrough, please complete the contact us form and we will send you the demo environment link and API key.
- Cortex XSOAR integration documentation for Chronicle
- Chronicle Integration with Cortex XSOAR video
- Chronicle and Cortex XSOAR joint solution brief
Sixgill, a premier featured launch partner of the new Cortex XSOAR Marketplace, proudly welcomes you to the Automation Rising 2020 SOAR Hackathon. Sixgill’s fully automated threat intelligence solutions help organizations fight cyber crime, detect phishing, data leaks, fraud and vulnerabilities as well as amplify incident response -- in real-time. Sixgill’s investigative portal empowers security teams with contextual and actionable alerts along with the ability to conduct real-time, covert investigations. Rich intelligence streams such as Darkfeed™ harness Sixgill’s unmatched intelligence collection capabilities and deliver real-time intel into organizations' existing security systems to help proactively block threats. Current customers include global 2000 enterprises, financial services, MSSPs, governments and law enforcement entities.
Sixgill Darkfeed is the most unique stream of malicious IOCs. It provides information on compromised domains that are on sale on the deep and dark web.
We want you to challenge your inner hacker and deliver innovation, by creating a killer playbook, orchestrating the unique types of data featured in Darkfeed, and to be integrated with Cortex XSOAR.
Darkfeed provides real-time information on domain names that are sold on the deep and dark web. Once a domain name is sold, it can be purchased by a threat actor and used for malicious purposes, immediately or even after several months.
Get Access to Sixgill API:
Your Challenge: Domains that are put up for sale on the deep and dark web.
- First, filter for domains for sale by searching for items with the field Sixgill Feed ID: “Darkfeed_003.”
- Then, build the ultimate playbook that automatically:
- Detects if the domain was indeed sold (via changes in its infrastructure--registration data, DNS, TLS certificates, etc.)
- Enriches the domain with external data and identifies if it was used for malicious purposes
- Detects other domains on the same new infrastructure, and sets endpoints to block them
Think outside the box, use different data sources and push the limits to automate the heck out of this playbook. The winning playbook will be the one that harnesses information, productivity, imagination and finesse to tackle this challenge head-on.
ONBOARDING: Easy 2-step onboarding instructions for Sixgill Darkfeed
Consuming Darkfeed in your Cortex XSOAR instance is an easy 2 step process:
Go to Cortex XSOAR Marketplace and find the Sixgill Darkfeed Content Pack and choose the “Current Customer” option. This validated integration will be your free trial during the hackathon period. Now, connect it to your Cortex instance, as you would any other integration.
- You will receive a welcome email from XSOAR firstname.lastname@example.org with all necessary details to onboard Darkfeed to your XSOAR instance
- Inside Demisto/XSOAR, go to settings > integrations > servers & services
- Under Sixgill, click add instance, and input the client ID and client secret you received in the Welcome email
- There may be a time delay for you to receive the Welcome email
- Sixgill is offering the free trial of Darkfeed for the hackathon and your security operations during the hackathon
- During the hackathon please contact Sixgill at XSOAR - email@example.com for any Darkfeed related support
- Joint Solution Brochure
- Sixgill Darkfeed - Content Pack Data Sheet
- Cortex XSOAR - Sixgill Darkfeed Video
- Darkfeed for Cortex XSOAR Use Case
RiskIQ PassiveTotal is the most comprehensive source of Internet intelligence in the security industry. Tap directly into petabytes of data with historic information dating back over a decade.
We want you to put your automation to the test and create a playbook that brings RiskIQ’s Internet intelligence context to every security product integrated within Cortex XSOAR. Have a SIEM with alerts? Add RiskIQ context. Using an EDR platform for internal monitoring? Add RiskIQ context. Stitching together multiple solutions to drive outcomes? Add RiskIQ context.
Context is key when performing analysis and RiskIQ PassiveTotal provides you with the ultimate repository to draw from. Be creative in your approach and good luck! Happy automating!
Get Access to PassiveTotal API
Register for an account at https://community.riskiq.com/
Your Challenge: Automate
- Identify a set of technologies––at least 3––that can work together to solve a security problem end-to-end. This could be services like email providers, proxies, firewalls, vulnerability scanners––any service that produces data and is used by a business in normal operations.
- Then, build a playbook that automatically:
- Extracts indicators from an event, artifact or other element.
- Enriches indicators using RiskIQ PassiveTotal data––at least 3 data sets.
- Automates decision making using enrichment as context.
- Performs a series of actions to defend the business.
- Sit back in amazement at what you’ve done.
RiskIQ PassiveTotal puts over 8 different data sets at your disposal. Your playbook should aim to use as many sources of context as possible, at least 3, so spread the love. The winning playbook will be the one that tells the most complete story, automating commonly observed technologies within an enterprise.
As an example, consider the following:
- Get stream of inbound emails
- Parse email for URL, attachment and other indicators
- Enrich indicators and identify if anything is suspicious or malicious
- Crawl the URL and identify any related content for enrichment
- Detonate the attachment in a sandbox and enrich results
- Leverage collective context to make a decision
- Block the URL in a firewall
- Generate an alert inside of a SIEM
- Task someone in the organization to investigate further
- In order to get full access to RiskIQ data sets, you must register with PassiveTotal using a corporate email address.
- RiskIQ PassiveTotal offers a freemium level of service and enterprise trials. If you run into limitations during the hackathon, reach out to us and we can extend your usage.
- Email firstname.lastname@example.org if you need any support during the hackathon.