Enrich IOCs from Ivanti ITSM Incident
Category: Data Enrichment and Threat Intelligence
Cyware Products Used:
Intel Exchange
Third-Party Integrations Used:
AbuseIPDB: To enrich malicious IPs
Hybrid Analysis: To enrich malicious Hashes
VirusTotal: To enrich malicious hashes and URLs
Problem Statement
Threat intelligence enrichment is critical to any incident or threat investigation process. The enrichment process helps remove false positives and deduce actionable intelligence for threat response and other security operations. Until now, the process has largely been manual with intel analysts sifting through several trusted sources and enriching indicators manually. The process is cumbersome, takes up a lot of time, and is impractical in the present security scenario where hundreds if not thousands of indicators are collected on a daily basis. However, Cyware’s automation solution can perform the enrichment process and high-level analysis within seconds.
Solution
With the threat intelligence enrichment solution provided by Cyware, the indicators from Ivanti ITSM tickets are automatically enriched with more details and context to improve incident investigation. The Enrich IOCs from the Ivanti ITSM Incident playbook automatically collect indicators such as IP, URL, and Hash details and enriches them using external enrichment tools. The enrichment details are automatically updated to the Ivanti ITSM incident as notes.
How do we solve this problem?
The Enrich IOCs from the Ivanti ITSM Incident playbook retrieve suspicious indicators from Ivanti ITSM incidents on the configurable interval. This helps in the automatic enrichment of the indicators present in the incidents. The playbook performs the following activities.
Retrieve Indicators: The playbook starts by retrieving the list of all incidents newly created on the Ivanti ITSM tool. Using the incident ID of the newly created incidents, the playbook retrieves additional details about the incident, including suspicious indicators from the ticket and attachment and sends them for enrichment.
Enrichment: The indicators are separated into different types such as IP, URL, and Hash, and sent for enrichment using tools such as AbuseIPDB, Hybrid Analysis, and VirusTotal. The enrichment results are formatted respectively.
Post to Intel Exchange: The enrichment results along with the indicators are published to Intel Exchange as a STIX package. This allows threat intel analysts to deploy necessary actions to defend against the threat and further share the threat intel with peer organizations. The playbook also creates a new incident in Ivanti ITSM tools to keep a record of the published activity performed in Intel Exchange.
Update Enrichment Details: The playbook now updates the enrichment details to the respective incident as journal notes on the Ivanti ITSM tool. Incident responders can easily view the enrichment details for investigation.
Optional Configurations
Analysts can integrate the vulnerability management workflow to the Enrich IOCs from the Ivanti ITSM Incident playbook to process vulnerable CVEs to proactively detect vulnerabilities before hackers discover them.
Benefits
Automate Repeated Tasks
With the automated process of enriching indicators, analysts can save significant time that can be better spent on in-depth analysis and strategic action.
Actionable Threat Intelligence
With the automated enrichment and scoring of indicators based on contextual factors, the playbook provides actionable intel for security analysts to further action.
Faster Decision Making
After processing unstructured threat intel, the Intel Exchange rules engine of Intel Exchange enables security teams to take automated actions to respond to and prevent any potential threats within the early stages of the cyber kill chain.