Skip to main content

Available Playbooks

The integration provides the following playbooks to help automate IOC investigation and response workflows:

Add-Remove IOC from Allowed List

This playbook automatically manages indicators in the allowed list based on their confidence scores. It removes high-confidence indicators from the allowed list and adds low-risk indicators when appropriate.

Supported IOC Types

  • IPv4

  • IPv6

  • Domain

  • URL

  • Email

Trigger

The playbook runs when the case contains the product name Cyware Intel Exchange. You can also trigger it manually during an investigation.

Actions in Use

The playbook uses the following actions to interact with the Cyware Intel Exchange platform and supporting integrations:

  • Get IOC Details: Retrieves indicator details from Cyware Intel Exchange, including attributes such as the IOC value, type, and confidence score.

  • Remove IOCs from Allowed List: Removes indicators from the allowed list in Cyware Intel Exchange when they are determined to be malicious or high-confidence threats.

  • Add IOCs to Allowed List: Adds indicators to the allowed list when they are determined to be low-risk or trusted.

Workflow

The playbook performs the following sequence of steps to process indicators and execute the required actions:

  1. The playbook collects entities from the case.

  2. It retrieves the IOC details from Cyware Intel Exchange.

  3. The playbook evaluates the confidence score of each indicator using the following conditions:

    • High Risk (confidence_score > 69): Indicators are removed from the allowed list.

    • Medium Risk (30 ≤ confidence_score ≤ 69): No action is taken.

    • Low Risk (confidence_score < 30): Indicators are added to the allowed list. A comment will be added with the following possible outcomes:

      • Added: IOC is added to allowed list on Cyware Intel Exchange.

      • Invalid: IOC is invalid to add to the allowed list on Cyware Intel Exchange.

      • Already Exists: IOC already exists in the allowed list on Cyware Intel Exchange.

Create IOCs on Cyware Intel Exchange

This playbook checks whether indicators already exist in Cyware Intel Exchange and creates them if they are not present.

Supported IOC Types

  • IPv4

  • IPv6

  • Domain

  • URL

  • Email

Trigger

The playbook runs when a case contains the product name Cyware Intel Exchange. It can also be triggered manually from a case.

Actions in Use

The playbook uses the following actions to perform the required operations:

  • Get IOC Details: Checks whether the indicator already exists in Cyware Intel Exchange and retrieves its associated information.

  • Create Intel in Cyware Intel Exchange: Creates a new indicator in Cyware Intel Exchange when the IOC does not already exist.

Workflow

The playbook performs the following sequence of steps to execute the actions:

  1. The playbook retrieves all entities from the case.

  2. It checks whether each IOC exists in Cyware Intel Exchange.

  3. If the IOC does not exist, the playbook creates a new indicator.

  4. If the IOC already exists, the playbook adds a comment to the case indicating that the IOC is already present.

Manual IOC – JIRA Issue Creation

This playbook creates Jira tickets for indicators that require manual analysis and follow-up.

Trigger

The playbook runs when a case contains the product name Cyware Intel Exchange.

Actions in Use

The playbook uses the following actions to perform the required operations:

  • Get IOC Details: Retrieves detailed information about the indicator from Cyware Intel Exchange, including attributes such as confidence score and review flags.

  • Create Jira Issue: Creates a new issue in Jira containing the relevant indicator details to initiate further investigation.

Workflow

The playbook performs the following sequence of steps to execute the required actions:

  1. The playbook collects entities from the case.

  2. It retrieves IOC details from Cyware Intel Exchange.

  3. The playbook identifies indicators that meet the following conditions:

    • manual_review = true

    • confidence_score > 69

  4. For matching indicators, the playbook creates a Jira ticket containing the IOC ID and IOC value.

Dynamic Tags Classification on IOCs

This playbook automatically classifies indicators by applying risk tags based on their confidence scores.

Trigger

The playbook runs when a case contains the product name Cyware Intel Exchange. You can also execute it manually from a case.

Actions in Use

The playbook uses the following actions to perform the required operations:

  • Get IOC Details: Retrieves indicator information and associated attributes from Cyware Intel Exchange.

  • Manage Tags in IOCs: Adds or updates tags on indicators in Cyware Intel Exchange to classify them based on their risk level.

Workflow

The playbook performs the following sequence of steps to execute the required actions:

  1. The playbook retrieves entities from the case.

  2. It obtains IOC details from Cyware Intel Exchange.

  3. The playbook evaluates the confidence score of each indicator.

  4. Based on the score, the playbook assigns the following appropriate risk tag:

    Confidence Score Range

    Tag

    1 - 29

    Low Risk - Google SecOps

    30 - 69

    Medium Risk - Google SecOps

    > 69

    High Risk - Google SecOps

    0

    No tag applied