Skip to main content

General Documents

Publish XML Advisories from your Mailbox as CSAP Alerts

Abstract

Download PDF

Category: Cyware Product

Cyware Products Used:

  • Orchestrate (CO)

  • Cyware Situational Awareness Platform (CSAP)

Problem Statement

RSS-based XML advisories are one of the most useful ways to keep security teams and general users up-to-date on the security threat landscape. RSS feeds bring the latest security news articles written by experts, threat intelligence feeds, and expert opinions from third-party sources directly to your email inbox. Let us go a step further and enable sharing RSS feeds with your CSAP members based on their role, location, and organization type.

Solution

The solution is to automatically onboard RSS-based XML advisories received in your mailbox and publish them as CSAP alerts to your members. We use Orchestrate playbooks to parse XML attachments received in your email inbox and onboard them to the CSAP Analyst Portal for security teams to share with their members.

Publish_XML_Advisories_from_your_Mailbox_as_CSAP_Alerts.svg

How do we solve this problem?

  1. Retrieve Latest XML Advisories: The playbook starts by polling the dedicated mailbox for the latest RSS feed emails that contain XML attachments. If any new advisories are found, the playbook extracts the attachment along with the associated advisory ID and sends it for further analysis.

  2. Convert XML Data to JSON: The playbook now converts the XML data from the advisory into logical JSON format. The conversion is built in a way that no critical information from the advisory gets lost in the process.

  3. Create a CSAP Alert: The formatted JSON file is sent to CSAP. CSAP creates a new alert from the JSON file and saves it as a draft. Analysts can review and analyze the draft alert before publishing it to members of their community and organizations.

  4. Update CSAP Alert: If an RSS advisory gets updated from the source, the playbook performs the following actions.

    1. If the alert that is relevant to the advisory ID already exists in CSAP, the alert details are updated to the existing alert and published to members.

    2. If there is no associated alert for the advisory ID, a new draft alert is created in CSAP and kept ready for analyst review.

Benefits
Improved Information Sharing

Aggregate, enrich, and share real-time security alerts with employees for enhanced situational awareness, action, and decision-making.

Benefit from RSS Sources

You can subscribe to RSS feed sources as required and allow security teams to orchestrate threat alerts from popular external sources into machine-readable security updates.

Proactive Threat Defense

Receive custom threat intelligence feeds with vulnerability and malware advisories to provide actionable alerts to your members for early malware and vulnerability warnings.